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ABSTRACT 


With the introduction of formal specification of 
abstracted computer resources, both physical and logical, 
there is the possibility that a major step forward can be 
made toward developing a methodology for reducing the 
portability and reusability costs of computing system 
components. Still, the current methodology is only concerned 
with the static functional properties of resources and not 
their timing properties. This places limitations on the 
generality of the method. This study describes a way to 
formally specify the timing of computer systems by combining 


ideas of both semantic algebras and Petri Nets. 
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I. INTRODUCT1ON 


Timing in computer systems has been a critical issue 
throughout the evolution of computers. The most obvious areas 
where timing is of great concern are operating systems, 
distributed systems and real-time systems. In the most other 
areas, timing of a computer program is taken for granted 
since we assume a simple sequential execution of this 
program. But we have to realize that, when we consider the 
program and the machine on which it has to run asa whole, 
i.e. a computer system, we have to deal also with the 
internal timing of the hardware. Even though high level 
programming languages have provided us with the means to 
software from one system to another, we still find these 
programs may not work properly because of timing problems. 
These timing problems are normally caused by different 
implementations of computer resources. So It would be very 
helpful to have a way of comparing computer systems and 
predicting problems in timing when programs are transferred. 
lt would even be much better to have specifications of 
computer systems that could be used to design transferrable 
programs in the first place. 

There is ongoing research at the Naval Postgraduate 
School on the formal specifications of computer systems that 


is mainly intended to overcome the increasing costs of 


computer software resulting from problems with portability 
and reusability of programs. The first result of this 
research project has been the development of a formal 
specification methodology by Davis (1984). This methodology 
was successfully used to write a formal specification of an 
Abstract Processor by Yurchak (1984).' This work was followed 
by several extensions of the Abstract Processor and related 
work by Hunter (1985) and Zang (1985). The research performed 
at the Naval Postgraduate School is part of a relatively new 
branch of computer science: the Science of Computing Systen 
Design which is concerned with a formal approach to the 
specification and description of computer systems. This 
thesis follows the direction of previous work done in this 
field. Its objective is to formally specify timing in 
computer systems. Even though there has’7 been considerable 
interest in timing, our approach will emphasize two aspects 
of the problem: 
- We want to develop a formal way to specify timing to 
achieve the benefits of the rigorous foundation of a 
formal description. 


- We want to specify abstracted resources which include 
both hardware and software with a unified approach. 


Throughout this thesis the term “computer resources” is 
used in a sense that combines all hardware and software 
building blocks of computer systems: memory, registers, data 
types, instructions, etc... Also the special aspect we are 

*An edited version of the specification of the Abstract 
Processor is included in Appendix A 
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concerned with is time as a computer resource. Computer 
resources can be either pure physical or they can be an 
abstract type. A memory cell belongs to the physical category 
while a specific data type belongs to the abstract category. 
The means to deal with these differences is abstraction. 
Specifying computer resources as abstractions in a 
mathematical way also allows us to compare different 
specifications and implementations. 

Within this work we will emphasize a practical viewpoint. 
Even though in applying pure mathematical concepts7 to 
computer systems we realize that computers are in no way 
ideal: as every piece of hardware is finite (especially the 
memory) and an event in the computer is never instantaneous 
but will take a certain amount of time. In this context, for 
example, the term “digital computer” is misleading since 
there are many undefined states between those defined "0" and 
yo 
Therefore the goal of this thesis is to provide a 
methodology for the rigorous specification of timing: 

- to evaluate the time behavior of systems which leads to 
the exhibition of possible places in system where 


parallelism could be used, 


- to give a better understanding of the dynamic aspect 
of computer resources in time, and 


- to find time critical situations in a system. 


Il. BACKGROUND 


A. FORMAL SPECIFICATION 

The idea of specifying a system formally is to deal with 
physical and abstract computer resources as abstractions to 
support our major concerns with portability and reusability. 
In this sense we deal with computer resources as abstractions 
which we want to describe such that the functions and the 
properties of a resource are stated in a mathematical way to 
support precision and provability. Studies in this direction 
have been conducted by many researchers (Goguen (1978), 
Guttag (1978), Bergstra (1983), and Davis (1984)). As a short 
introduction to this work we would like to present some key 
issues here as they were used in the first formal 
specification of the Abstract Processor. 

The formal specification of the Abstract Processor is 
based on the method of algebraic specification which consists 
of two parts: the interface specification and the constraints 
specification. The interface specification declares operands 
and the operators that can be applied to them, so information 
for syntactic constructions and type checking are provided. 
The constraints specification is a set of properties that 
define constraints on the operations. These properties are 
stated by equations that associate the same meaning to pairs 


of expressions of the specification. As an example the 
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specification of the computer resource "boolean" is shown in 


Figure 2.1. 


Resource boolean is 


Operands 
bool 


Operators 
not: bool -> bool; 
and: bool,bool -> bool; 
true: -> bool; 
false: -> bool; 


Properties 
not(true()) = false(); 
not(not(x)) = x; 
and(true(),x) = x 


, 
and(false(),x) = false (); 


end boolean; 


Figure 2.1: Specification for Resource “boolean” 


Figure 2.1 illustrates the definition of one operand type 
(bool) and the operations (not, and, true, false) that are 
allowed with this operand. The operations are stated as 
functions with their input and output. Note here that the 
constants resembling “true” and “false” are obtained from the 
nullary operator functions with no input ("true()" and 
"false()"). Up to this point only the interface part is 
considered. The meaning of the specification is indirectly 
in the form of equations that state that certain expressions 
must be treated identically to other expressions. The above 


equations use "x" as a free variable, i.e. "x" stands for any 
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expression that can represent an operand of type "bool"™. So 
far this computer resource "boolean" is an abstract data type 
in the traditional meaning. But computer resources also 
consists of physical resources which are very similar to 
abstract data types in their specification. Figure 2.2 
provides” an example of specifying a physical computer 
resource to indicate the memory state of the Abstract 
Processor. For Simplicity only the operands for 
initialization, fetching and storing are presented. The first 
interesting fact to note in this specification is that it 
states that the resource “amstate” is an extension of the 
previously defined specifications of the resources “boolean", 
"“memaddress", and “regaddress", i.e. all operands, operators, 
and properties defined in these specifications can be used to 
specify “amstate”™ without further explanations. The operand 
"state”™ has in this example four operators to initialize the 
processor, to fetch from memory and registers, and to store 
to memory and registers. The properties for these operations 
are shown by equations that indicate their relations among 
them. Note that this example uses the term “undefined” to 
indicate an error or don’t care condition (the attempt to 
fetch the contents of an register or memory address of a new 
initialized processor is illegal). 

The basic step in becoming familiar with formal 
specifications is to consider the well-known constructs of 


abstract data types: a class of objects together with a set 
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of operations that may be applied to these objects. This 


approach can also be applied to physical computer resources. 


Resource amstate Is 


Extension of 
boolean, 
memaddress, 
regaddress, 


Operands 
state; 


Operators 
fetchm: memaddr,state -> val; 
fetchr: regaddr,state -> val; 
storem: val,memaddr,state -> state; 
storer: val,regaddr,state -> state; 
iInitam: -> state; 


Properties 


fetchm(a,initam()) is undefined; 

storem(fetchm(a,q),a,q) = q; 

implies(eqmemaddr(al,a2), 
fetchm(al, storem(v, a2, q)) 
= true(); 

implies(not(eqmemaddr(al,a2), 
fetchm(al, storem(v,a2,q)) = fetchm(al,q)) 
= true(); 


v) 


fetchr(r, initam()) is undefined; 
storer(fetchr(r,q),7r,q) = q; 
implies(eqregaddr(ri,r2), 
fetchr(ri, storer(v,r2,q)) = v) 
= true(); 
implies(not(egqregaddr(ri,r2), 
fetchr(ri, storer(v,r2,q)) = fetchr(ri,q)) 
= true(); 


end amstate; 


Figure 2.2: Specification of “amstate" 


SL SS =e SS SS Pp gS ss stg sestsyeemnnammmmnsemes 
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Then we have concrete algebras which describe an aggregate of 
Operations and sets of values where the sets are the source 
for arguments and result types of each operation. This is a 
system in which there are sets and operations that are 
applied to elements of the sets such that the results of the 
operators stay ine the system. When we construct a 
specification of such a system, we attempt to create a 
specification that serves as templates for the sets and 
operators in a concrete algebra and axioms which state 
provable equations about the values and operations. With such 
a specification we have something which describes’ the 
resource abstractly and precisely without restricting it to a 
specific concrete algebra, i.e. there can be many algebras 
that are implementations of a single specification. They are 
considered as the class of algebras uniquely associated to 
that specification. 
1. Syntax versus Semantics 

We refer to the syntax of description as the "form" 
of the description and to semantics as the "meaning" of the 
description. 

The meaning is always determined by associating form 
to real objects. Basically the syntactic part describes legal 
expressions that can be formed with the operators’ in the 
specification. These expressions are called formal terms. The 
constraint part specifies that certain formal terms are to be 


considered equivalent. The meaning of specifications is 
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established by associating certain concrete algebras to the 
specification. There algebras represent the "real object". 
Operational expressions in the concrete algebras are called 
actual terms. Semantics are defined by a correspondence 
between properties of formal terms and actual terms. A real 
‘object is a realization of the abstract object defined by a 
specification under three conditions as they are stated in 
Davis and Yurchak (1984): 
- Condition i: 
For each operand type of the specification there is a 
corresponding set of values in the real object and to 
each operator in the specification there is a 
corresponding operation in the real object that is 
defined on values that correspond to the operand types of 
the operator. 
- Condition 2: 
In the correspondence between formal terms and actual 
terms, two formal terms are provably equal if and only if 
their corresponding actual terms have the same value. 
- Condition 3: 
To every value of the real object there must correspond 
some formal term whose corresponding actual term has that 
value. 

These conditions provide us with a powerful insight: 
given a formal specification of some resources there can be 
different implementation in the real world (as they probably 
are on different machines), but as long as the 
implementations satisfy the above conditions they are 
equivalent. This is a very important property when the issue 
Of portability is concerned. 


Still an formal specification despite its abstract 


view of resources’ has to deal with the _ real world: for 
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example there is nothing like true infinite memory so that a 
defined operator like “nextmemaddr”™ (to obtain the memory 
address of the next instruction to be executed) will 
eventually exceed the physical implemented memory of a 
system. The “undefined” has beén introduced in the formal 
specifications to act like a safeguard. It indicates that 


there is no interpretation in the realization for this term. 


B. PETRI NETS 
Petri Nets are tools for the study of systems through 
modeling. The Petri Net theory has been originally introduced 
by Carl Adam Petri in his doctoral dissertation (1962). 
Further studies of A. W. Hold and Jack 8B. Dennis’ helped to 
develop this theory. 
1. Terminology of Petri Nets 
From Peterson (1981) a basic Petri Net is defined as 
a five-tuple M = (P,T,!I,0,m) which is composed out of the 
following parts: 
- a set of places P 
- a set of transitions T 
- an input function 1 
- an output function O 
- a marking vector m 
The function |! is a mapping from a transition t; to a 
collection of input places O(t,) and the function OQ isa 


mapping of a transition t, to a collection of output places 


I¢t,), the marking vector m indicates the number of tokens 
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preset in each place. In this general form, developed by C.A. 
Petri, a place can hold more than one token at a time.#? 

As an example, the following net structure is 
presented here and Figure 2.3 shows its corresponding graph 
in the common symbology of Petri Net graphs where eice bes 


indicate places, bars indicate transitions, and arrows show 


the connections between places and transitions: 


e= (P,T, 1,0,m) 

P ioe, Pas) Pe, Ps Ps > P7 s Pe} 

fe = tt, , ta, ts,ts,ts } 

me—-) (1,0,0,0,0,0,0,0) 

I(t,) = ({p,} O(t,) = {po,p.} 
I(t) = fehy gy Hit >) = {p; } 
I(ts) = {p2,ps} ety = tps; p. } 
ict.) = {p.,ps } Ott.) = {pry} 

mc ts ) = ipa, py Octs) = {pe } 





Peeure  2.9- Graph of Petri Net 





The following Petri Net terminology is used in this thesis: 


- place = a construct for modeling conditions of the system 
- event = actions that take place in the system 
- token = a construct used to indicate that a condition 


holds (a true condition) 


*The reader is referred here to the BAG theory 
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- transition = the process of recognizing true 
preconditions, the occurrence of an event, and making the 
postconditions hold 

~- concurrency = two or more events depending on different 
preconditions can occur in any order 

- conflict = only one of two or more events depending on at 
least one common precondition can occur 


To give a simple description of Petri Nets we can say the 
following: An event occurs (a tnaneneetion is initiated or 
enabled) when all of its preconditions hold. The effect of 
the occurrence is that the tokens of the preconditions are 
"used" for the event and then distributed to the 
postconditions. 

The following constructors can be recognized in Petri Nets: 


- simple transitions «=.there is one precondition and 
whenever this condition holds the event occurs so that 
the token from the precondition is removed and after the 
occurrence of the event the token is moved _ to the 
postcondition so that this condition now holds (Figure 
280. 


~ conjunctive transitions = there are two or more 
preconditions that all have to hold in order for the 
event to occur. All tokens of the preconditions are used 
and after the occurrence of the event only one token is 
moved to the postcondition to indicate that it now holds 
(Figure 2.5). 


- disjunctive transitions = one precondition is connected 
to two or more events and when this precondition holds 
one of the events will occur and will move the token from 
the precondition to the postcondition of that event that 
occurred. The selection of the event to occur is 
non=deterministic (Figure 2.6). 


- distributive transitions = there is one precondition and 
when this holds the connected event will occur. It will 
remove the token from the precondition and it to all 
postconditions so that every postcondition of this event 
will have a token (Figure 2.7). 


- complex transitions = combinations of the above simple 
constructs of Petri Nets. 
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Figure 2.4: Simple Transition 
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Plcure 2.0: Conjunctive Transition 
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Figure 2.6: Disjunctive Trancmenen 
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Figure 2.7: Distributive Transition 


Tae Properties of Petri Nets 


Petri Nets by their nature are well suited to model 
asynchronuous processes, i.e. where the progress of a process 
is controlled by conditions and events and not by some kind 
of fixed clock. This means that in some part of the net there 
can be waiting for a condition to start an event, even the 
case that a process cannot continue because of a missing 
condition. Suppose an event is modeled as a conjunctive 
transition as indicated in Figure 2.5. If the precondition 
Ceeei1 1S never true the process will stop at this point. The 
"flow” of the progress can always be observed by the state of 
the condition places in the system. The occurrence of events 
is recognizable by the changing of the preconditions and 


Pesctconditions. 


Pap 


The discussion of disjunctive events has shown an 
important property of Petri Nets: their non-deterministic 
nature, i.e. we have under normal circumstances to force a 
distributive construct in one or the other direction. This is 
a major obstacle when we have to mode! some kind of decision 
making in a Petri Net. One way to get around this problem is 
the construct (introduced by Peterson (1981)) of an “external 
agent™ which provides appropriate TRUE or FALSE places at 
decision points in the net. Here by the intervention of the 
"external agent” the process proceeds in the direction of the 
TRUE or FALSE place. In general, one can think of "external 
agents” as CASE-constructs in high-level programming 
languages such that, dependent on the value of an argument, 
one and only one action is taken by setting the according 
place in the net. We wil! discuss this topic further in 
Chapter IV. 

When we look at the conjunctive and distributive 
constructs we observe that by combining them we can build a 
distributive construct which "fans" out into several holding 
places and then combines again with a conjunctive construct. 
In this way, we have able to introduce parallelism into Petri 
Nets. Figure 2.8 shows the graph of a process that fans out 
into five processes which then merge again into one process. 
This capability of Petri Nets is very powerful and convenient 


in specifying computer resources. 
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process p5 


Figure 2.8: Parallelism with Petri Nets 


S. Modeling with Petri Nets 


Modeling with Petri Nets has been widely used in very 
different areas: computer software, computer hardware, 
chemical reactions, queuing theory, political systems, etc.. 
Two examples as they are presented by Peterson (1981) are 
given to illustrate this modeling work: a portion of a Petri 
Net showing ae contro! Unita ora CGomputen “with multiple 
registers and functional units as an example for modeling 
computer hardware (Figure 2.9) and a Petri Net dealing with 
the mutual exclusion problem as example for modeling computer 
Smtware (Figure 2.10). 

In our approach we want to exploit the ease and the 
Properties of Petri Nets for modeling the combination of 


computer hardware and software as they operate in time. 
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Figure 2.9: Computer Coentrolmunmie 
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Figure 2.10: Mutual  EBwelusien 


24 


ltl. THE PROBLEM OF TIMING SPECIFICATION 


A. GENERAL PROBLEMS 

Why are we so concerned about the timing of a system? 
Time is an important resource in computer systems that must 
be managed carefully. There is almost always the possibility 
that if we invest more of other resources we are able to 
reduce the amount of time a piece of work will need. 
Everybody remembers a mathematical problem like this: if it 
takes one unit to accomplish a task in x hours how many hours 
will it take y units to do the same task? In this very simple 
problem the increase of other resources (e.g. units) will 
reduce the needed time for the task linearly.In computer 
systems we could save time by implementing more CPUs, disk 
drives, arithmetic units, etc... But since more hardware costs 
more money and the control of additional resources uses time 
by itself we have to be very careful in determining the 
resources we need and how we use them. The following example 
Shows the danger of mismanaging computer resources: a 
computer task that requires some resources (e.g. disks) would 
waste them if it holds more than it needed at times when it 
actually does not need them and so prohibits other tasks from 
using them. 

The formal specification as described in the 


specification of the Abstract Processor is only concerned 
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with static computer resources, i.e the timing properties are 
implied by the functional relations between components of the 
system. The static specification is purely functional. For 
example, operands must be evatuated before a function is 
applied but there is no way of indicating the order of 
evaluation. The dynamic computer resources are those that 
express an ordering of resources in time, mutual exclusion 
and concurrency. Instead of assuming some ordering in the use 
of computer resources we want to be able to explicitly state 
and define the timing of a system. 

The goal is to specify the required timing properties 
precisely to a desired degree which for example is sufficient 
to evaluate the system for time and cost efficiency. The 
relation between time and cost depends on the nature of the 
system: there is much more emphasis) on time in system that 
are very time critical (e.g. real-time systems) and not so 
much on systems that are purely problem solvers. 

The basis of this work is to show whether such a 
methodology for specifying timing properties can be based on 
the theory of Petri Nets and how wel! the special cases of 
timing in computer system resources can be expressed in terms 


of Petri Nets. 


26 


B. SPECIFIC PROBLEMS OF INTEREST 
1. Order of Evaluations of Functions 

Given a Penation £(Xi 9 K25p00059X%n) we anny require that 
Xx, to xX, are evaluated before f can be applied.* There is no 
statement that the evaluation of x; has to be started first 
or what evaluation has to be completed first. 

2. Parallel Processing of Parts of Functions 

Considering again our function [f(X1,X2,.-..,;X%n) we 
want to state explicitly which evaluations have to performed 
in parallel and which in sequence. Why do we want to do so? 
Following our purpose, in the specification we want to 
describe timing in a way which is as exact and detailed as a 
timing diagram used to construct hardware. 

3. Mutual Exclusion 

A major problem that arises with parallelism is 
mutual exclusion, i.e. a computer resource can only be used 
by one process at atime and the use of the resource has to 
have a certain entry and exit point to preserve the integrity 
of the resource. 

Consider a simple computer with a memory unit which 
retrieves and stores data on request via a specified 
interface (Memory Buffer Register and Memory Address 
Register). This is parallelism even in simple computers since 


the memory is independent from the CPU. So we have to make 





*Even if x is a constant it has still to be evaluated, 
i.e. its value has to be retrieved 


at 


sure that only one request is handled by the memory unit at a 
time and that the next one is handled when the first one .is 
finished. We ane to be able to explicitly state those 
properties in the specification of timing systems. 

4. Data Flow 

During the course of a process in time certain data 
has to be available in order for the process to proceed. Some 
data is changed, other data is not needed anymore. Here we 
have the problem of how to model data flow by means of Petri 
Nets. 

To make this point more clear let us_ consider the 
execution of following instruction: SUB R1,R2 (subtract the 
contents of register 1 from the contents of register 2 and 
store the result in register 2). During the execution we have 
to retrieve the identities of the registers from the 
instruction (i.e. the instruction has to be decoded) then 
their contents both have to be available before we can 
perform the subtraction. At this point of the execution we do 
not need the identity of the first register anymore, but the 
one for the second since it is not only a_ source for the 
operation but also the destination. Thus, we have to have 
some mechanism in our methodology to state data which is 


available during the course of the execution. 
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1V. APPLICATIONS OF PETRI NETS TO THE TIMING IN FORMAL 


SPECIFICATIONS 


In previous work computer resources have been formally 
specified using basically the algebraic specification 
approach. In essence, this is a type of functional 
specification. The question we address here is can functional 
specification be extended, using Petri Net theory, to provide 


for the specification of timing properties. 


A. GENERAL APPROACH 
Given a general function f(x,,xX2,.--.,%,) what are the 
stages of evaluation for this function? 
- the evaluation of £CX1 >X2p00e2 Xn) must have been 


requested from somewhere and by this the evaluation gets 
into a requested stage 


- for all x,. 3 ¢= 4 <= n, the evaluation is requested 
which starts for all x, a new process with the same 
stages as described here 


- once all x, are evaluated and their results are available 
to our function f it can be evaluated ina processing 
stage 


- when the evaluation is completed and the result is 
available the process is completed 


Note the similarity to the "natural”™ way a human being 
would calculate this function: if we were to calculate 
sum(sin(x? ),sqrt(y)) we had to calculate the square root of y 
and we had to square x and take the sine of it and then we 


would apply the sum-function to the intermediate results. 


23 


However, this example exhibits a problem for our very general 
approach: how do we know what the values of x and y are and 
how do we know that e.g. "sqrt" means "take the square root”. 
Therefore there must be some decoding and retrieval steps in 
between which determine what the parts of the function 
expression mean. This is exactly the case when we consider 
computer instructions: e.g. given an instruction like "ADD Ri 
M2 R3" which means "add the contents of register 1 to the 
contents of memory address 2 and store the result in 
register 3". Here the following steps have to be performed: 

- The instruction has to be decoded (we assume that at this 
stage the instruction is already retrieved): i.e. the 
components of the instruction (operator and operands) 
must be made available to the further evaluation. 

- Up to this stage only the names (i.e. the symbolic 
addresses) of the operands are available and so the next 
step is to retrieve the values of the operands. 

- Now that the operator and the values of the operands are 
available the operation designated by the operator can be 


performed. 


- When the result is available it can be stored into the 
location which expressed by the third operand. 


Figure 4.1 shows the corresponding graph of a Petri Net 
describing the above steps. In this example we see an 
approach to describe the execution of an instruction ina 
sequential manner. Suppose we had a machine ene could 
perform retrieval of values and operation in parallels, how 
could we describe that certain steps could be performed in 
parallel and how could we mark points in time where the 


process can only proceed if some results are available? 
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Figure 4.1: Simple [Instruction Execution Net 


This is the point where we can use the properties of 
Petri Nets: if we model requests and availabilities as places 
of Petri Nets and the actions on requests and availabilities 
as' transitions and connect them accordingly we are ina 
position to model the evaluation of a function ofr the 
eeeewcion of an instruction. 

Up to this point there is nothing new in our methodology 
Since modeling with Petri Nets is common practice and has 
been done for a long time. The question to be ask now is does 
a methodology based on Petri Nets provide the means to 
specify the specific problems of computer systems and their 
components in a way that is consistent with the formal 
Specification of the static properties we have seen in the 
Specification of the Abstract Processor. 

In addition we not only want to look at the timing of 
Systems in an isolated fashion, but also we want to combine 


the specification of static properties, as introduced in the 
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specification of the Abstract Processor, with the 
specification of dynamic. properties of such a system. With 


this combination we can specify systems completely. 


B. NOTION OF SUBNETS 

Now that we have Petri Nets as a too! we can model simple 
timing systems using our methodology. However, we would like 
to simplify and eliminate redundancy: if we use the same 
structure ina net several times, it would be better to have 
this structure defined once and reference this definition 
wherever we need it in our system (Figure 4.2). As an 
example, suppose we realize that a structure to make the 
contents of a certain memory address available to the process 
appears several times in our system. By defining this 
retrieval-function as a subnet we are ina position to use it 
everywhere in the system simply by setting its ENTRY-place 
(in our example with a request for value of a specified 
register) and we obtain the result (the value of the 
specified register) at its EX!IT-place. This works even for 
the case that the subnet specifies a computer resource that 
has to be accessed observing mutual exclusion. 

The major question that has to be asked here is’ how can 
we model such a subnet that has the ability to “sense” where 
it has been invoked and so can return its results’ to that 
location in the system. Computer language constructs like 
procedures or functions use a return address which is saved 
with the call of the procedure/function to determine the 
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location in the program which has’ to be executed after the 
procedure/function is finished. Our model of using Petri Nets 
is different in this aspect: despite the fact that it shows 
the dynamic behavior of a system, its structure is static and 
does not change in time and so all connections between nets 


and subnets are established. Since we have to know all! these 






use of subnet B 


2) 


use of subnet 


Figure 4.2: Symbology of Subnets 


connections we are able to provide for each connection an 
entry-place which is connected to the net internally by 
disjunctive events such that only one can be “fired” at a 
time. The "“firing™ of those events lets a path-place hold 
that indicates the entry-place which triggered the event. 
This path-place decides what exit-place is set when the 
internal net provides the result. 

This definition of a subnet is a very powerful shortcut 
for keeping descriptions of systems limited. lt resembles a 
function construct ina high-level programming language: it 


is been "called" by setting its request-place, does its 
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supposed work and “returns” the result as the available- 


place. 
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Figure 4.3: Generalized Subnet without Mutual Exclusion 
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Figure 4.4: Generalized Subnet with Mutual Exclusion 
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We have to show that our methodology is capable of 


defining subnets and introducing them into other nets. 


c. COMBINING NETS 
With the introduction of subnets we are in need of rules 
and guidelines on how we can combine a_ collection of small 


nets and subnets into a timing system. 


fis Coupling of Nets 


In the preceding paragraph we have assumed that nets 
are connected by entry and exit places, but generally, we 
have two possibilities to connect nets: 


- Coupling by places: to connect two nets the first net 
outputs to a EX!IT-place that is read by the second net as 
an ENTRY-place. In the special case that we use subnets 
in our specification we request the subnet by place (the 
ENTRY-place of the subnet) and obtain the result by a 
place (the EXIT-place of the subnet). 


- Coupling by events: events are shared between nets and 
when the ENTRY-event "fires" the requested net is invoked 
and signals the availability of the result by "firing" 
its EX!IT-event. 


We have chosen the coupling of nets by places because 
of the following reasons: 


- The request for a subnet submitted by a place allows the 
requested subnet more “liberty” to react on the request 
only when it is ready to do so since the pending request 
as a "loaded" place remains until it is used by the net, 
where as in event-coupling the saving requests had to be 
done in a more complicated way. 


- The coupling of nets by places resembles the way events 
like interrupts are processed in real machines, here the 
interrupt does not interrupt the execution of 
instructions at any time, but a status “interrupt” is set 
and this status is checked between the execution of 
instructions and acted upon. 
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2. Extensions of Nets 

To make our methodology consistent we need to state 
what other nets we are going to use in this net. There is a 
close similarity to INCLUDE, USE or WITH constructs of high- 
level programming languages or the EXTEND construct of the 
formal specification. In the specification of timing the 
mentioning of a net to be the extension of another means that 
the parent net is going to use the extended net as a subnet 
in the specification. 

3. Net Selection 

Due to the non-deterministic nature of Petri Nets we 
do not have a traditional net construct which can make 
decisions on truth or falseness and directs the path in the 
net accordingly. A proposed solution for this’ problem by 
Peterson (1981) is to use “external agents" as they were 
presented in Chapter 2. This construct is able to examine a 
status or data on a given condition and make the decision 
whether the condition is fulfilled. With the outcome of the 
decision a path to a place representing true or the place 
representing false is set. By extending this idea we able to 
think of “external agents” as a CASE-statement where one and 
only way through the net is chosen according to a condition 


(see Figure 4.5). 


D. TYPING OF NET ELEMENTS 
In the traditional Petri Net theory we have tokens to 
indicate the flow through the net and to mark holding places. 
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Somtchne firing” of an event consists in collecting a token 
from each of the connected input places, performing the 
designated action and distributing a token to each connected 
output place. This is not enough when we want to describe the 
flow of data in time. Also we want to be able to state 
specifically what kinds of data, what types of data are being 
requested, available or transferred at a certain point in the 


timing of a system. 
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Figure 4.5: Net Selection by "external agents" 


How can we show the presence of data in our methodology? 
On first sight we have two possibilities: either we introduce 
a typed place or a typed token. Both of these constructs 
could indicate the presence of certain data. So we to examine 


both methods under the consideration which of them suits our 
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goal better to develop a practical and understandable 
methodology. 
1. Typed Places 

When we introduce a concept of typed places we still 
have the original meaning of the tokens to indicate the 
holding of a place. The presence of data of a certain type 
must be accomplished by means that have to obey the type of 
the place. The events still react on the presence of tokens 
in the places. 

2. Typed Tokens 

This alternative considers a token as a construct 
that carries an actual piece of data according to the type of 
the token. We can imagine tokens as a message residing in the 
places. The events now can be modeled by picking up a message 
from each connected input placed, performing their designated 
actions, and distributing a message to every connected output 
place. 

So now we can look at places ina net as constructs 
that can receive token-messages from events, keep them and 
send them to events. The actions performed by events consist 
of picking up message-tokens from places, changing and 
creating message-tokens and sending them to places. 

3. Typed Tokens in Typed Places 
Both concepts above exhibit some disadvantages: 


- Pure place typing needs some external mechanism to 
establish the presence of data. 
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- Pure token typing allows a message-token to be sent to 
every place in the net since there no protection from 
receiving message-tokens of the wrong type. 

This leads to the idea of combining both typing 
schemes. With this concept we restrict places in the net to 
accept only tokens of a certain type and the tokens are 
actually typed messages. One smal! problem does arise here: 
what if we want in some situations the token to have its 
original meaning only to indicate its presence without any 
data? This reminds of a message without contents. Asa 
solution we introduce following typing convention: 

- A place declared to be of a certain type or collection of 
types can only accommodate tokens that are messages of 


this type or collection of types. 


- A place declared to be of no type can only accommodate 
tokens which are “empty” messages. 


- An event will collect typed token-messages from the 
connected typed input-places, perform its designated 
action and output typed token-messages to the connected 
typed output-places. 

With this typing scheme we are now ina situation to 
specify data flow in time by means of typed tokens and 
places. Although we have based our work on Petri Nets we see 


that our concept has become more general and now reminds of a 


general message passing system. 


EF. SYNTAX 

Since our approach includes the existing specification 
methodology of the static computer resources, we have to 
carefully develop a new syntax which expresses both the 
static and dynamic properties of the systems to be specified. 
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The following syntax has been introduced with the 
specification of the Abstract Processor by Davis and Yurchak 
(1985): 
Resource <name> is 
Operand Types 
<operand types> 
Operators 
<operators> 
Properties 
<properties> 
The following requirements have to be fulfilled by the 
syntax we want to develop: 
- It has to have the ability to express both the static and 
dynamic properties of system properties where the static 
part should be left in the form as’ introduced by Davis 


and Yurchak (1984). 


- The form of the syntax should be as simple and easy to 
understand as possible. 


- The chosen names of the constructs of the syntax should 
be self-explanatory and suggest the intended meaning to 
the user. 


- It has to provide a precise and unambiguous way to 
specify the system. 


Another point to consider is that we want to follow 
certain accepted design principles, especially that of 
Information Hiding as it is done e.g. in the ADA package 
construct where there is a Package Interface (to provide the 
user of the package with all the information necessary to use 
the package and nothing else) and a Package Body (the 
implementation of the package). 

Before we finalize the syntax for the dynamic 
specification of a system we need to say something about how 
the dynamic properties of static objects are described in 
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terms of places and transitions. Places reflect’ the 
conditions on the execution of the static functions, whereas 
transitions are used to describe changes in these conditions 
during the execution of the static functions. Some of these 
places and transitions are generic, i.e. they apply to any 
function. For example, a function is always requested by a 
place and becomes activated by an activate-transition. This 
does not prevent us from defining additional places and 
transitions when they are needed for a specification. We are 
going to use an uniform notation to indicate the connection 
between the statement of the dynamic properties and the 
static properties. Given an operator storem : val, memaddr, 
State -> state we will use internal places names that are 
preceded by storem_ (e.g. storem_activated) and transition 
names that are followed by _storem (e.g. activate_storem). We 
also reserve standard notations for entry and exit places of 
subnets: entry places are always preceded by req_ (e.g. 
req_storem for “request a store in memory") and exit places 
are always preceded by avail. (e.g. avail_storem for "result 
of store in memory is available). We reverse the order of 
attaching the name of the function because we want to 
emphasize that a subnet represents a transition that is 
specified in detail. 
1. Places 
There are three types of places we want to 


distinguish in our syntax: 
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- internal places, which names’ and definitions are only 
known and accessible within the net they are defined in; 
the purpose is to build the internal structure of the net 

- entry places, which names’ and definition are also known 
and accessible to those nets which are declared to be 
extensions of this net; they provide an interface to 
invoke this net 

- exit places, which names’ and definitions are known and 
accessible to those nets which are declared to be 
extensions of this net; they provide an interface to 
obtain the results from the invocation of this net 

We have chosen the following syntax to describe 
places in our specification: 

place_name(net label) (message_typel. 

A place_name is the distinct name of a place in the described 
net. In the case that a place is either an entry or exit 
place the rule applies that their names are Known to those 
nets which are declared to be extensions of this net. If a 
net has multiple entry or exit places the parameter netlabel 
can be attached in parentheses to describe this fact where 
netlabel indicates a location in the system. As we have said 
a place is able to accommodate a certain kind of message so 
the type of the message the place can hold in brackets is 
part of the place description. The following description of 
places are legal (compare with the static specification for 
“fetchr™ and “storem™ in Chapter II): 

- storem_activated(val.memaddr.state]; a place of the name 
"storem_activated"™ which can hold messages that consist 


of data of type val, memaddr and state 


- fetchr_availf€l; a place of the "fetchm_avail™ which can 
only hold empty messages 
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- req_pushstk(netlabel)(val.stkaddr.state]; places of the 
name "req pushstk" which are distinguished by the 
parameter “netlabel”, all of them able to hold messages 
which contain data of types val, stkaddr and state. 

2. Transitions 

Our methodology defines transitions as the process of 
collecting a message from each connected input place and 
sending messages to every connected output place. So we want 
to state what kind of messages are received and transmitted. 
The following syntax is used to describe transitions: 
transition_name:input_messages -> output_messages. 
The transition_name is a distinct name for the transition in 
the net and is not known outside the net. Input and output 
messages are of the above form where multiple messages are 
separated by commas. The following examples are legal 
description of transitions: 

~ perform_storem: (val.memaddr.state] -> (statel]; 
the transition of the name "“"perform_storem" takes a 
message which contains data of type val, memaddr and 
state as input and outputs a message containing data of 
type state 

- finish _fetchr: (valJ],€] -> (Cvalj},(€12;3 
the transition of the name "“finish_fetchr” takes two 
messages as input where one consists of data of type val 
and the other is an empty message and outputs again two 
messages of same type 

Note that the description of transitions only 
deciares them in terms of their capabilities to accept and to 
transmit certain kinds of messages and does not~ show any 
internal action of the transition. The reason for this is to 
present the transitions as building blocks of the net in form 


of a mapping function which is general enough to provide 
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information about its interface and nothing more. The 
internal actions are described as the properties of the net. 
This does not necessarily means’ that a transition is 
instantaneous, rather the complexity of the internal actions 
determine the duration of the transition. But every complex 
transition can be modeled as. a net with entry and exit places 
such that the internal transitions become instantaneous. 
3. Properties 

Now that we have described the building blocks of a 
net we need to connect them in order to describe the intended 
timing of a system. The following form is chosen for the 
syntax of the properties of the net: 
transition_name(place_names(message_data) => 
place_names(message_ data}; This form shows’ how places and 
transitions are connected and how the transfer of message 
elements occurs between them. Here are some examples of legal 
property descriptions: 

- perform_fetochm(fetohm_activated(m.q]) > 
fetchm_completed{(v); the transition “perform_fetchm" 
occurs when there is a message in the place 
"fetchm_activated”. The message is taken from the place 
in such away that all message elements (memaddr m and 
state q) are available to the transition. Then the action 
of getting the memory contents is performed and the 
resulting value v is transmitted as a message to the 
place "fetchm_completed" 

- perform_storer(storer activated(v.r.q]) => 
storer_completed(qlil]; the transition “perform_storer" 
occurs when there is a message in the place 
"storer_activated” in such a way that the message is 
taken from the place in such a way that its message 


elements (value v, regaddr r and state q) are available 
to the transition. The action of storing the value v in 
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register fr is performed and the new state qi is 
transmitted as a message to the place "storer_completed" 


Functionally, the internal actions performed by 
transitions follow the rules stated as static properties for 
the functions involved. 

4. Initialization 

In some kinds of nets we have an internal circuit of 
places in order to act as a synchronization mechanism (as 
illustrated in Figure 4.4 to provide mutual exclusion). They 
have to be initiated somehow i.e. a message has to be placed 
in at least one of these places since they are not provided 
with messages from outside the net. We going to describe this 
‘initialization by using the symbol "=>" used to indicate the 
placement of a message into a place. The following is an 
example of an initialization: 


=> fetchm_avail(€)]; the place "“fetchm_avail™ is loaded 
with an empty message 


The initialization of a place is a one-time action at 
the beginning of system start and provides the necessary 
conditions to get a process going. It can be viewed as 
establishing the initial state of a computer system when it 


is turned on. 
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V. THE ABSTRACT PROCESSOR TIMING SPECIFICATION 


In this chapter we want to present some examples on how 
specific problems of timing in computer system can be modeled 
using the methodology in a top-down fashion. The examples 
resemble a variety of computer system timing problems to test 
the use of Petri Nets in specifying the timing properties. In 
Appendix B a complete specification of the static and dynamic 
properties of a reduced Abstract Processor is presented. We 
have chosen to use the Abstract Processor as the object to be 
specified in timing considerations because of the following 
reasons: 


- to emphasis this work as the logical step following the 
work of specifying static properties of systems, 


- by specifying a non-existent, abstracted processor we 
intentionally leave the issue of the actual 
implementation untouched since we stated that by whatever 
means the specification is implemented the processor will 
have the specified properties, 


- to emphasize our intention of specifying what the user of 


a processor wants to achieve and not how it is 
implemented as compared to a traditional processor design 
approach that is dominated by engineering and 


implementation issues. 

Also we want to show how well our methodology can deal 
with the special aspects of timing in computer systems. The 
special aspects we are concerned with are mutual exclusion, 
interrupt processing and concurrency. Despite the fact that 
the Abstract Processor is in its static part specified as a 
simple single processor during this work we have realized 
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that even there, a lot of potential concurrency can be 


detected. 
Whenever we refer to actual implementation we _ do this 
with the intention to give one example of how the 


specification could be realized. Once again we emphasize that 
the methodology stated in this work is only concerned with 
what is available in a system and not with the how it is 
implemented. We want to remind the reader that the 
methodology developed here is intended to be general. That 
is, it can be equally applied to the specification of 
computer resources that may be implemented in hardware, 
software or firmware. With this in mind we have look at the 
timing specification not as a blueprint by which a system can 
be build directly but rather as formally stated requirements 
a system has to fullfil no matter what approach is chosen for 


the implementation . 


A. ATOMIC NETS 

One feature of the methodology is it forces the specifier 
to focus on the essential nature of the system components. 
When we consider these essential components as actions ina 
system that are not further divisible we can speak of atomic 
actions which we want to specify as atomic nets in our 
methodology. Such nets will! use no other net in their 
specification and so can be considered as building blocks of 
a system. In general they represent the elementary actions in 
a system. The Abstract Processor consists of several such 
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elementary actions and to illustrate this idea, we will show 
how the actions of store operations and fetch operations can 


be described with atomic nets. 


B. MODELING OF MEMORY AND REGISTER ACCESS TIMING 

The first question we have to ask when we want to specify 
the access of memory or registers is what kind of information 
do we have to have available to perform an access’ and what 
information we obtain after the access has been made. In 
order to perform an access the address of the memory cell or 
register has to be available. Depending whether a store or a 
fetch has to be performed, we either have to provide a value 
for this process or we obtain a value from the process. Also, 
to indicate the current contents of the register or memory 
cell we have to indicate the process for accessing the state 
of the processor. In case of a store access we obtain a new 
state as the result of the process since the change of a 
memory cell or register also changes the state. 

At this stage we have established the components’ of any 
process dealing with the access of memory or registers. We 
anticipate that accesses to memory and registers will be made 
from various places in the system, so we provide a netlabel 
for every entry and exit place. In terms of our specification 
methodology can now define the entry and exit places of the 
subnet: 

- the fetching of the contents of a memory cell is 


requested by providing message which consists of the 
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memory address and the state to the following entry 
place: req fetchm(netlabe! )(memaddr.statel]3 


- We obtain as a result a corresponding message containing 
the value from the exit place: 
avail fetchm(netlabe!)({valj; 


- similarly we state the entry and exit places for fetching 
the contents of a register: 
req fetchr(netlabel )(regaddr.statel]; as the entry place 
and avail fetchr(netlabel)(€valJ; as the exit place 


- the storing of a value into a memory cell is requested by 
providing a message which consists of the value to be 
stored, the memory address and the state to the following 
entry place: req _storem(netlabel)(val.memaddr. state]; 


- We receive as a result a corresponding new state from the 
exit place: avail _storem(netlabel)(statel]; 


- similarly we define the entry and exit places for storing 
values into registers; 


req _ storer(netlabel)(val.regaddr.statel]; as the entry 
place and avail _storer(netlabel)€statel]; as the exit 
place. 


To show the versatility of the proposed methodology we 
will specify memory and register access differently: we are 
going to specify memory access in away that allows only one 
access to one memory cell at a time (an implementation for 
this method might be a single memory unit allowing only one 
access at a time). On the other hand we might want to able to 
access registers in parallel. These requirements determine 
the internal structure of resulting specification. 

Considering the above requirements on how we have to 
specify the system we realize that we have to construct the 
specification to deal with memory accesses and accesses to 


each register separately. 
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As the next step we are going to specify the memory 
accesses. Since we know from our requirements that only one 
access at a time is allowed to the memory we have to provide 
a mutual exclusion mechanism in our specification that makes 
sure that the memory is not accessed by more than one request 
at a time. 

From Figure 5.1 we see that from any system location 
indicated by a netlabel a message in an entry place to 
request a memory access can only trigger a transition to 
activate the process when the process is available. Since 
there is only one empty message to indicate the availability 
of the net only one request can be honored at a time. The 
availability is restored when the access is completed. Also 
we see that the internal places "processed _ for" serve as 
traffic signs to direct the results to the appropriate exit 
places. Drawing the picture of the net can be helpful to the 
process of specifying net just as flow charts can be helpful 
in programming tasks, but our intention is primarily to state 
a formal specification. The following is the dynamic part of 
the memory access specification expressed in precise syntax: 
entry places 

req fetchm(netlabel)(memaddr.state]; 

req storem(netlabel)(€val.memaddr.state]; 
exit places 

avail_fetchm(netlabel)(Cvalj];3 

avail storem(netlabel)(€state]; 
internal places 

access avail(]; 

fetchm_for(netlabel){]; 


fetchm_activated(memaddr.state]; 
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fetchm_completedlval]; 
storem_for(netlabel)C]; 
storem_activated(val.memaddr.state]; 
storem_completed{state]; 


initial state 
=> access_availl]; 


transitions 
act_fetchm: (memaddr.state],(€] -> Cmemaddr.state],(1; 
perform_fetchm: (Cmemaddr.state] -> [val]; 
finish_fetchm: [€valJ],C€] -> Cvall1,C]; 
act_storem: (Cval.memaddr.statejJ,(€]j] -> 
Cval.memaddr.statel],(j]; 
perform_storem: (Cval.memaddr.state] -> (statel; 
finish_storem: [(state],(€] -> (CstateJ,C1]; 


properties 

act_fetchm(req fetchm(l1)(€m.q]), access_availlj]) => 

fetchm_for(11)(],fetchm_activated(m.q]; 

perform fetchm(fetchm_activated(m.q]) => 

fetchm_completed{([v]; 
finish_fetchm(fetch_completed[(v], fetchm_for(11)(]) => 
avail_fetchm(11)€vj], access_availl]; 
act_storem(req_storem(1l1)(€v.m.ql], access_avail{]) => 
storem_for(11)(€1], storem_activatedl(v.m.q]; 
perform_storem(storem_activated({y.m.q]) => 
storem_completed{[qilJ; 
finish_storem(storem_completed{qi], storem_for(1]1)€]) => 
avail _storem(1l1)CqijJ, access_availl]; 

When we look at the requirements of the register accesses 
we see that the above design for memory accesses is not 
suitable for register access if we want to allow (for 
concurrent access to registers. So we have to find a way to 
express the properties of register accesses. Looking closely 
again at the requirements we realize that each register has 
the same access policies as the whole memory we specified 
before. This leads us to the fact that every register has to 
have its own specification. For the sake of simplicity let us 
Say that our system has three registers with register 


addresses 1,2 and 3. We could now define three different nets 
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each for the access of a certain register. There ioe 
problem though: whenever a register access is requested from 
somewhere in the system, the proper net for the register to 
be accessed has to be addressed. So we want to have the 
decision about which register net is meant centralized in one 


place in the system. Therefore we employ some decision 
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mechanism to select the right register access net. In this 
case the graph drawn out in Figure 5.2 of the net might 


confuse more than it helps. We try to specify the register 
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Figure 5.2: Petri Net Graph for Register Access 
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access just by direct reasoning. Still, the graph in Figure 
5.2 illustrates that, despite the fact that each register can 
be accessed independently from the other registers, only 
oneaccess to a register is allowed at a time because of the 
separate "access_avail”™ places for each register. These 
places prohibit any access to a register until it is 
available. 

Again, we can anticipate that access to registers will be 
requested by several locations in the system. So we can state 
the entry and exit places as we have in the memory example. 
Next we already found out that there three independent 
register access nets and we can use again this structure for 
internal places and transitions we used in the memory access 
net. But how do we state that the net for register 1 is used 
when there is an access request for register 1 and only this 
net? The indication that a certain register is going to be 
accessed is the register address contained in the request 
message. Now instead of a name of the register address we 
state the actual value of it when we specify the properties: 
entry places 

req _ fetchr(netlabel)Cregaddr.state); 

req storer(netlabel)(val.regaddr.statel]; 
exit places 

avail _fetchr(netlabel)(valj; 

avail_storer(netlabel)(€state]; 
internal places 

accessi_availl]; 

fetchri_activated(regaddr.state]}; 

fetchri_completed([val]; 

storerl_ activated(val.regaddr.state]; 


storeri_completed(state]; 
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access2_ avail(l; 
fetchr2_activated(regaddr.statel]; 
fetchr2_ completed(val]; 

storer2 activated(val.regaddr.state]; 
storer2_completed{(statel; 


access3_availl]; 
fetchrS3S_activated(regaddr.statel]; 
fetchr3_completed(val]; 
storer3_activated(val.regaddr.state]; 
storer3_completed{state]; 


fetchr_for(netliabel){]J; 
storer for(netlabel)(]1; 


initial state 
=> accessi_availll; 
=> access2_availll; 
=> access3_availl]; 


transitions 
act_fetchri: (Cregaddr.state],{] -> fCregaddr.statel,(1]; 
perform_fetchri: (Cregaddr.state] -> [val]; 
finish_fetchri: (fval],{€1] -> f€vall,(1; 
act_storeri: [Cval.regaddr.stateJ,{] -> 
{val.regaddr.statel],(]; 
perform_storeri: (Cval.regaddr.state] -> [statel; 
finish_storeri: [(state],{J] -> {(statel],{]; 


act_fetchr2: (Cregaddr.state],{1] -> fCregaddr.state],(1]; 
perform_fetchr2: (Cregaddr.state] -> [val]; 
finish_fetchr2: [val],{€1] -> (€valj,(C€1]1; 

act_storer2: (val.regaddr.state],{(] -> 
{val.regaddr.state],{jJ; 

perform_storer2: [Cval.regaddr.state] -> [state]; 
finish_storer2: [(statel],{] -> (statel],{]; 


act_fetchr3: (Cregaddr.state],{] -> (Cregaddr.statel,{]; 
perform_fetchr3: fregaddr.state] -> (val]l; 
finish_fetchr3: [C€val],{€1] -> (€valj],C€1]; 

act_storer3: [{fval.regaddr.statel],{] -> 
{val.regaddr.state],{(]; 

perform_storer3: (Cval.regaddr.state] -> [state]; 
finish_storer3: [{statej),{€] -> (€statel],{]; 


properties 
act_fetchri(req_fetchr(l1)(€1.q], accessi_availf]) => 
fetchr_for(1l1i)Cj],fetchri_activated(i.q]; 
perform_fetchri(fetchri_activated({1i.g]) => 
fetchri_completed{(v]; 
finish_fetchri(fetchi_completed(v], fetchr_for(1l1){€1]) => 
avail _fetchr(lid{€vl, accessi_availf]; 
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act_storeri(req storer(l1)(€v.1.qJ], accessi_availlf]J) => 
storer_for(1l1)(1], storeril_activated(v.1.q]; 
perform_storerl(storerl_ activated({y.1.q]) => 
storeril _completed[qi]; 
finish_storeri(storeri_completed{[{qi], storer_for(1l1){1J) 
=> avail_storer(l1l)€qijl, accessi_availll; 


act_fetchr2(req fetchr(1l1)(2.q], access2_availf[J) => 
fetchr_for(l1)£€),fetchr2_ activated(2.q]; 

perform_fetchr2(fetchr2_activated([2.q]) => 
fetchr2_completed([v]; 

finish_fetchr2(fetch2_completed{v], fetchr_for(l1)(€J) => 
avail _fetchr(l1i)f€vl, access2_availl]; 

act_storer2(req _ storer(l1)(€v.2.q], access2_availfJ]) => 
storer_for(l1)(], storer2_activated[(v.2.q]; 

perform_storer2(storer2 activated(v.2.qjJ) => 
storer2 completed(q1]J; 

finish_storer2(storer2 completed{({qijJ, storer_for(11)(€)]) 
=> avail_storer(l1){€q1], access2_ availl]; 


act_fetchr3(req fetchr(11)(3.q], access3_availfJ) => 
fetchr_for(1l1)C),fetchr3_activated(3.q]; 

perform_fetchr3(fetchr3_activated[3.q]) => 
fetchr3_completed[v]; 

finish_fetchr3(fetch3_completed(vJ], fetchr_for(11)(]) => 
avail _fetchr(l1l)€vJl], access3_avail(]; 

act_storer3(req storer(l1)£v.3.q], access3_availfJ) => 
storer_for(1l1)(€], storerS3_activated(v.3.q]; 

perform_storer3(storer3_activated({£yv.3.q]) => 
storer3_completed[q1]; 

finish_storer3(storer3_completedf({qijJ, storer_for(11)(1]) 
=> avail_storer(1l1)€qijl, access3_availl]; 


We see that even specifications of simple resources 
become large and complex and the drawing the net is even more 
complex. Here we realize the real benefit of the introduction 
of subnets: once these subnets are specified we can use their 
properties everywhere in our system simply by stating the 
entry and exit places of the subnets in the net we want to 
specify. Those nets using subnets are actually extensions of 
the subnets. The next section will illustrate these facts in 


detail. 
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C. MODELING GF INSTRUCTION FETCH AND EXECUTION TIMING 

From the static specification of the Abstract Processor 
we see See there are two Brorands “prog” and “exq™ which are 
responsible for the process of executing programs. The 
process is kept going by corecursive calls between those two 
operators. 

Even though those _ two processes are very closely 
connected by corecursive calls we want to consider them 
separately and start with specifying the “exq” process. 

The "exq” process needs information about the instruction 
to be executed, the current memory address, and the state of 
the processor. After the process has finished it returns the 
new state. This determines the contents of the messages the 
entry and exit places of this net have to accommodate. Stil! 
we have to decide what’ kind of execution unit we want to 
specify. We want to specify that only one execution unit can 
be performed at a time. This means that we have to provide 
mutual exclusion for the use of this net. We can do this the 
same way as we provided for memory accesses. We can 
accomplish that by providing a distinct entry place and exit 
place indicated by netlabels. Now we are in a position to 
specify the entry and exit places: 


- req exq(netlabel)Cinstr.memaddr.state]; as the entry 
place 


- avail_exq(netlabel)(memaddr.statejJ; as the exit place 
At this point we have to look closely at the actions an 
execution on an instruction has to accomplish: retrieval of 
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information from the instruction, about register and memory 
addresses of operands, and about the operation to be 


performed, accesses to the operands, application of the 


operator, and calculation of the address of the next 
instruction to execute. We see now that the previous 
specifications for memory and register accesses will come in 
handy when have to specify these accesses in the 


specification. Also we assume for this’ specification that 
there are nets for the retrieval of operands and operators 
from the instruction, the application of operands”) and 
calculation of the next memory address. 

The next issue we have to address’ is the fact that 
different instructions have to be executed differently. Here 
a decision mechanism similar to the one we introduced to 
access a specific register can help us to make the 
specification structured and understandable. The mechanism we 
introduce here has to recognize from the instruction part of 
the message which execution is requested and has to direct 
the path within the specification to the appropriate part of 
the specification. In the formal specification we indicate 
this explicitly by the contents of the instruction part of 
the request message. 

In the following we show some representative examples of 
the execution specifications of different instructions. Their 


graphs are depicted in Figures 5.4 and 5.5 and illustrate 
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clearly the simplification obtained by the use of predefined 
subnets. 


entry places 
req_exq(netlabel)Cinstr.memaddr.state]; 


exit places 
avail _exq(netlabel)(memaddr.state]); 


internal places 
exq_ availl]; 
exq for(netlabel)(); 


exq monad_activated(state]); 
exq monad_fetch(statel]; 

exq _ monad_apply(lstate]; 
exq_monad_store(l]; 


exq mov_r_r_activated(state]; 


exq mov_r r_performl(state]; 
exq mov_r_r_store(l]; 


initial state 
=> exq availld); 


transitions 

activate_exq_monad: (Cinstr.memaddr.state],{) -> 
Cstate],Cinstr]),Cinstrj), Cinstr]), (memaddr]; 

start_exq monad: (state), (Cregaddrj, -> 
(state), (Cregaddr.state]); 

apply_exq_ monad: (statej],lCoperator),{€val]) -> 
(state), Coperator.val]); 

store_exq monad: (statel],({val),Cregaddr) -> 
C],Cval.regaddr.state); 

finish_exq_monad: (],(€state), {(memaddr) -> 
C(memaddr.state]; 


activate_exq mov_r_r: Cinstr.memaddr.state),{] -> 
C{state],Cinstr], Cinstr], (memaddr]); 

start_exq mov_r_r: (Cstart)],Cregaddr] -> 
(state), {(regaddr.state]; 

store_exq mov_r_r: (state), lCregaddrj),€valj -> 
{),€val.regaddr.state); 

finish_exq_ mov_r_r: (],€state), (memaddr] -> 
C(memaddr.state]; 


properties 
activate_exq monad(exq availld, 
req _ exq(!l){monad(o.ri.r2).m.q]) => 
exq for(l])C), exq_monad_activated{(q], 
req operator(|li)dCmonad(o.ri.r2)], 
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req operandi(!l2)C€monad(o.ri.r2)], 
req operand2(13)Cmonad(o.ri.r2)], 
req nextmemaddr(14)(mj; 
start_exq monad(exq monad_activated([ql, 
avail_operandiclidCrijd) -> exq_monad_fetch{q], 
req fetchr(!l5)Cri.q]; 
apply_exq monad(exq monad_fetch[q], avail_fetchr(1]5){Cvl, 
avail_operator(l1)€o0]) => exq_monad_applylq], 
req _ apply_mop(16)lo0.v]; 
store_exq monad(exq monad_applylq]l, 
avall_apply_mop(16)(vil, avail _operand2(13)C€r2]) => 
exq_monad_store(], req _storer(!]7)(vi1.r2.q]; 
finish_exq_ monad(exq monad_storef], avail _storer(17)(q1l, 
avail nextmemaddr(14) €m1J]) => avail_exq(l)f€m1.q1J; 


activate_exq mov_r_r(exq availll, 
req_exq(])C€mov_r_r(ri,r2).m.qj) => 
exg_ mov_r_r_activated(q], 
req operandi(l1i)C€mov_r_or(ri,r2)], 
req _operand2(12)C€mov_r_r(ri,r2)], 
req_nextmemaddr(13)(mJ}3 
start_exq mov_r_r(exq mov_r_r_activated(ql], 
avail_operandi(!lidCrij) => 
exq_mov_r_r_perform(q], req fetchr(14)C€ri.q]; 
store_exq_mov_r_r(exq mov_r_r_performlgq], 
avail fetchr(14)C€vJ, avail_operand2(12)(€r2]) => 
exq_mov_r_r_storel], req_storerlv.r2.q]; 
finish_exq_mov_r_r(exq mov_r_r_storel[], avail_storerlq1il, 
avail _nextmemaddr(1!13)CmiJ) => 
avail_exq(1])€m1.q1]; 


The above two examples show the specification of the 
execution of a monadic instruction and of a move instruction. 
We have used the previously specified register access 
("fetchr” and "storer”™) to fetch the contents of a register 
and to store a value into a register. The way we used them 
was that we stated their entry and exit places at the 
appropriate locations in the description of the properties of 
our execution specification. In the same way we invoked the 
specifications of "“nextmemaddr", "apply_mop”, "operandi", 
"operand2" and "operator" which for this example we assumed 
to be defined . 
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We want to emphasize at this point that the stated 
properties of the given examples are not the only way the 
Be ecution could be specified: we are following the philosophy 
that as soon as the information is available, the possible 
requests are made based on the information. In a real 
specification other considerations may have priority, but our 
intention is to show how this can be accomplished using the 
methodology. 

The next part of the specification is to state the "prog" 
part and to connect it with “"exq”" in a way that illustrates 
the corecursiveness of their interconnection. Since we have 
already modeled the "“exq" part as a process’) taking an 
instruction, a memory address and the state, and provides a 
new memory address and a new state, we want this as a subnet 
in our “prog" specification. When we look again at the static 
specification of “prog" of the Abstract Processor we realize 
that this process needs a memory address and the state to get 
started, i.e. the same information as "exq"™ provides as 
output. This fact leads to the idea of a loop in requesting 
"prog": when “prog" has performed its initial tasks and has 
invoked “exq" it is in the situation of requesting itself 
again as soon as_ the result of “exq" is obtained. This idea 
will work nicely once the process is started, but how do we 
get this process running? Here we can claim that the initial 
request has to come from the outside world (imagine a 


possible implementation as an on-Sswitch at the machine which 


61 


peuvon [T@) zppeuow PAT AOR 
bxo qAxeu (uw) rppewou 
USTUTS “TFRAe yAxeu bez 


[22] [(z2’°T2’o) 
zpuerizedo pruow) 


guom bxe 01039 
; TTeae zpuezedo bez 


peuow bxe Atdde [9] _ [ (72 °T2’o) 
z103¥210ed0 pruot) 


TT#Ae 20R301ed0 bez 


peuow bxe A71e48 
[TA] (t2} [((z72’°T2’0) 


[tb} 2204s §=[b’z2°Ta] dow Atdde  [a°ojdou [aJzyojez [b’t{2] Ipuezedo peuon]) 
TTeae xz0e2x0348 bez tjTeae Atdde bez TTPaAe xryoRe3 bex TTeaAe [puvzedo bex 





[}e2048 peruow bre [b})Atdde peuow bxe [b} yo3ez peuow bxe [b] peqeat jor peuom bxe 











[Tb° Tw} (IT) bxe Tyeae 


© 





>, 
{JTyeae bxe Pee Orne oc 


pruow) (TT) bxe bez 


SS 





O 


_monad” 


"exq 


Net Grapitgast 


: Partial sreeci 


3 


5) 


igure 


2 


2 I 
Aou 
bxo_ 
Yszuys (Tw) zppeueu 
qxeu [Tear 
(z1) zpuezedo 
TTeae 
x X aow bxe ©2038 
\ 
SS 
x 21 Aow-bxe 422438 
[Tb] 202038 [b-zz°a) [a] 2y0903- [b° 12] [12] Tpuezedo— 
TTeae zez03s bez TTeae zyoqez bez TT eae 
YS CO aro S 
K \ \ 








©1038 xX 2 Aow bxe 






(O) (tb: ta) 
(T)bxe TTeae 





[](t)z0z bxe > 








m10zzed x 2 aow bxe 









@) {)}TTeae bxe NS 


Cae 

ou 

bxe 

eqestqor 
{w]) tppreweu 
axeu bez 


(O) 


({zz’{z) 2x 2 aow] 
zpueizedo bez 


© 


({zz’Tz)z 2 aow] 
[puezedo bez 


© 


{b) peqaeatqoe 21 x aow bxe 





(bow (Z1°T2 


)z 2 aow) ({T)bxe bez 


ky 


i 


"exq_ mov_ 


Net Graph of 


Petri 


Partial! 


Figure 5.4: 


63 


resets the state and sets the program counter to a predefined 
initial value). We want to specify this process asa single 
control unit and that this is the major process in the 
system. The following is a possible specification of "prog" 
(see also Figure 5.5): 


entry places 
req prog(memaddr.statel]; 


internal places 
prog _availl]); 
prog fetch(memaddr. state]; 
prog _instr(€memaddr.state]; 
prog _performl ] 


initial state 
=> prog_avail(ld; 


transitions 

activate_prog: (j)],(€(memaddr.state] -> 
C(memaddr.stateJ], (memaddr.state]); 

get_instr_prog: [(€memaddr.state],(val] -> 
C(memaddr.statej],(val]; 

perform_prog: (Cmemaddr.stateJ],Cinstr] -> 
CJ,Cinstr.memaddr.state]; 

finish_prog: (J],(€memaddr.state] -> 
CJ], (memaddr.state]; 


properties 

activate _prog(prog availlf€j), req _prog(€m.q]) => 
prog _ fetch(m.q], req _fetchm(l1)(m.q]; 

get_instr_prog(prog activated(m.q], avail fetchm(Il1)Cv)) 
=> prog_instr(m.q], req_atomofinstr(l2)(v]; 

perform_prog(prog_instr(m.ql, 
avail _atomofinstr(1l2)CijJ) => 
prog _ performl(], req _exq(I3)li.m.q]; 

finish_prog(prog perform(€], avail_exq(€mi.qilJ) => 
prog_availlj), req _prog(mi.qil; 


The declaration of "req prog” as an entry place models 
our previous stated connection to the outside world. Note 
that this specification in the form presented could not be 


used as a subnet since no exit place has been declared. The 
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following Figure 5.5 shows how this specification is drawn as 


a net. 


D. MODELING OF INTERRUPTS 

The above specifications of “exq" and “prog” and their 
interconnection in their current form does not provide for 
any recognition and processing of interrupts. This chapter is 
to show one way how interrupts could be handled using our 
specification methodology. 

As always the first step is to state the requirements for 
the process of interrupt handling. We want to look at 
interrupts as a signal which comes either from outside or 
inside the system on which the current running program is 
interrupted and a handler program at a predefined location is 
started. After the completion of the handler the execution of 
the interrupted program is resumed, therefore we need to save 
the memory address of the interrupted program. Also we want 
the invocation of the interrupt handler only to happen ata 
defined state, i.e. between the completion of the execution 
of one instruction and the fetching of the next instruction. 
Another requirement is that the interrupt handler acts ona 
Single interrupt only one time, so that a following interrupt 
Signal can be interpreted as another interrupt. In the 
following specification we assume that there is a dedicated 


stack in the system on which the current memory address of 
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the running program can be saved. Also, for simplicity 
reasons we.allow only one type of interrupt, i.e. the handler 
has to determine the source of the interrupt by software. The 
following is one way to specify the above requirements (also 
see Figure 5.6): 


entry places 
req prog(memaddr.state]; 


internal places 
prog availl]; 
prog fetch(memaddr.state]; 
prog_instr(€memaddr.state]; 
prog _perform(] 
prog check(memaddr.state]; 
prog_savel]; 


initial state 
=> prog_avail(l]; 


transitions 
activate_prog: ([(], €memaddr.state] -> 
({memaddr.statel], (memaddr.statel]; 

get_instr_prog: [(memaddr.state],{€val] -> 
C(memaddr.statel], (val]; 

perform_prog: (memaddr.statel],finstr] -> 
C]1,Cinstr.memaddr.state]; 

finish_prog: ()],€memaddr.state] -> 
C{memaddr.state],(1]; 


normal prog: (Cmemaddr.state],(€] -> 
{], (memaddr.statel]; 

itrpt_prog:(memaddr,state],(] -> 
{], Cinstr.memaddr.state]; 

fin_int_prog: [1], €memaddr.state] -> 
{], (memaddr.state]; 


properties 
activate_prog(prog_ availll], req _prog(m.q]) => 
prog fetch(m.q], req fetchm(11)€memaddr.statel]; 
get_instr_prog(prog activated(m.q], avail _fetchm(1]1){€v]) 
=> prog_instr(€m.q], req_atomofinstr(l2)(v]; 
perform_prog(prog_ instr(m.ql, 
avail_atomofinstr¢dl2)CijJ) => 
prog perform(], req_exq(13)Ci.m.q]; 
finish_prog(prog_ perform(€], avail_exq{€mi.qil) => 
prog _check(€mi.qil, req _check(]; 
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normal_prog(prog_ check({€mi.qiJ, avail_normal{€}) => 

prog_availfl], req_prog(mi.qi] 
itrpt_prog(prog_check(mi.qiJ), avail_intrpt{}]) => 

prog _savel]), req_exql(jsr(Cint_addr,sys_stk).mi.qil; 
fin_int_prog(prog_savel], avail_exq{m2.q2]) => 

prog _availl), req prog(m2.q2)]; 

The above interrupt-sensitive specification of “prog” is 
very similar to the former specification of “prog” which did 
not provide for interrupt handling (compare Figure 5.5 and 
Figure 5.6). The major difference is that an "external! agent” 
is invoked as soon as the execution of the instruction is 
completed. This Agent sends a message to one of its output 
places to show that either an interrupt is present or not. 
This construct ensures two properties: Tirst, the External 
Agent is responsible for clearing the interrupt signal after 
it has recognized it so that an interrupt is only honored 
once; second, the presence of an interrupt has priority over 
the normal way of execution of a program. Once an interrupt 
has been detected by the Agent and its appropriate output 
place has been provided with a message the "prog™ process can 
continue and it will place the current memory address ona 
specified system stack by executing a "push™ instruction and 
will Start a new cycle at the system interrupt handler 
address. Since the interrupt handler is by itself a loaded 
user program is responsible for saving the necessary register 


contents and for restoring those registers and the saved 


memory address from the system stack when it finishes. 
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E. EXECUTION OF PROGRAMS 
The question to be asked now is: how will the proposed 
specification methodology show the timing of the execution of 


programs? As an example, let us consider the following simple 


program: 
1000: 1 
1001: 2 


2000: MOV_M_R 1000,ri1 

2001: MOV_M_R 1001,r2 

2002: ADD ri,r2,r3 

2003: MOV_R_M r3,1002 

2004: STOP 

The above program retrieves the values "1" and "2" from 
memory addresses 1000 and 1002 into registers "ri" and "r2", 
adds them together, with the result in "r3", and than moves 
this result into memory address 1002. At the top level of the 
specification there is the “prog” net. With the start of this 
program it receives the "req prog{2000.qijl"* message from the 
outside. It retrieves the instruction contained in memory 
address 2000 and invokes the "exq"” net with the message 
"req_exqlinstr.2000.qi1". Inside the "exq”™ net the "external 
agent” determines the appropriate net to process’ the 
instruction, here the "mov_mr™" net, and enters’ this net. 
After the completion of "exq", "prog" finishes with a message 
"req prog{2001.q2]" to itself where the "2001" and q2 were 
obtained from the execution of "exq”. At this point “prog” 


starts all over again and finishes with the message 


"req prog(2002.q3]". This repeats until the "stop" 


*Netlabels are omitted for simplicity 
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instruction is executed and results in termination of the 
process. Inside the invocations of the "“exq” net there are 
several uses of the nets to access memory and registers as 
well as to process "nextmemaddr”". 

The following shows the major messages with their 
included data that are exchanged during the course of the 
execution of the program (not necessarily in the order as 
they might occur): 


req _prog[(2000,q1] 
req fetchm[2000,q1] 
avail _fetchm(*MOV_M_R 1000,ri"] 
req atomofinstr(€"*MOV_M_R 1000,ri"] 
avail _atomofinstr(C€mov_m_r(1000,ri)J 
req_exq(C(mov_m_ r(1000,ri).2000.q1] 
req operandi(Cmov_m r(1000,ri1)J] 
avail _operand2(1000] 
req operand2([(mov_m_ r(1000,r1)1] 
avail _operand2(riJ] 
req _ fetchm([1000.q1] 
avail fetchm[1] 
req storer[i.ri.qil] 
avail _storer([q2] 
req _nextmemaddr[2000) 
avail _nextmemaddr([2001 ] 
avail _exq(2001.q2] 
req _progl(2001,q2] 
req _ fetchm(2001,q2] 
avail_fetchm("*MOV_M_R 1001,r2"]) 
req _atomofinstr(€"*MOV_M_R 1001,r2"]J 
avail_atomofinstr(€mov_m_r(1001,r2)] 
req_exq(mov_m_r(1001,r2).2001.q2] 
req operandilCmov_m_r(1001,r2)] 
avail _operand2[1001] 
req operand2(mov_m_ r(1001,r2)] 
avail _operand2[(r2] 
req _ fetchm(1001.q2] 
avail _fetchm[2] 
req _storer(2.r2.q2] 
avail _storer([q3] 
req _nextmemaddr[2001] 
avail _nextmemaddr[2002] 
avail _exq(2002.q31] 
req progl(2002.q3] 
req _ fetchm[ 2002, q3] 
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avail fetchm("ADD ri,r2,r3"] 
req atomofinstr("ADD ri,r2,r3"] 
avail_atomofinstrl€dyadr(add,ri,r2,r3)] 
req exqldyad(add,ri,r2,r3).2002.q3] 
req operandil(dyad(add,ri,r2,r3)] 
avail_operandi(ri] 
req operand2(dyad(add,ri,r2,r3) J 
avail _operandil(r2] 
req operand3(ldyad(add,ri,r2,r3)J] 
avail operand3[ri] 
req operator(dyad(add,ri,r2,r3)] 
avail _operatorladd] 
req fetchrl(ri.q3] 
avail fetchr[1] 
req fetchr(r2.q3] 
avail _fetchr[2] 
req applydopladd.1.2] 
avail _apply_dop(3] 
req _ storerl(3.r3.q3] 
avail _storer(q4] 
req _ nextmemaddr[(2002] 
avail _nextmemaddr(2003] 
avail _exq(2003.q4] 
req progl(2003,q4] 
req _ fetchml( 2003, q4] 
avail fetchm("MOV_R_M r3,1003"] 
req atomofinstr(€"MOV_r_m r3,1003"]J 
avail _atomofinstrlCmov_r_m(r3, 1003) ] 
req_exq(mov_r_m(r3, 1003).2003. q4] 
req operandilCmov_r_m(r3,1003) ] 
avail _operand2[r3] 
req _operand2(mov_r_m(r3, 1003) J] 
avail _operand2(1003] 
req fetchr(r3.q4] 
avail _fetchm(3] 
req storer(3.1003.q4] 
avail _storer(q5] 
req _nextmemaddr[2003] 
avail _nextmemaddr(2004] 
avail _exq(2004.q5] 
req prog[(2004.q5] 
req fetchm(2004,q5] 
avail fetchm("STOP"] 
req atomofinstr(€"STOP” 3] 
avail _atomofinstrlstop] 
req_exq(stop. 2003. q4] 
avail_exq(.q4J 
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With the appropriate tools to track certain messages and 
their contents one is able to take snapshots during the 
course of the execution to determine the timing within the 


execution. 
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VI. SUMMARY AND CONCLUSION 


The intention of this work has been to present a 
methodology to specify timing in computer systems with strong 
San nati on the issues of portability and reusability. The 
work has been also influenced by the goal to pursue a 
practical viewpoint for dealing with computer resources. In 
describing the essential properties of timing between 
abstracted computer resources, it has been possible to state 
the required timing in a system in an exact and rigorous way. 
As a first result of this work it has been pointed out that 
the attempt to specify the time behavior of a computer system 
without having a formal specification of the static behavior 
of the system will lead to inconsistencies and errors. We 
view the timing specification as an extension of the static 
specification (the system functionally) to a complete 


specification (the system functionally and dynamically). 


A. ADVANTAGES 

This methodology is based on Petri Nets and their 
underlying theory. Since Petri Nets are an accepted and 
commonly used tool ina variety of applications one familiar 
with Petri Nets will have almost no, problems understanding 
the methodology. During the course of this research a number 


of distinct advantages have been recognized: 
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ie Ability to State Asynchronuous Timing 


Asynchronuous timing in a system is the most common 
timing method in any computer system, be it the reaction on 
the completion of some task or dealing with an external 
interrupt. The examples presented during this work show very 
clearly that every event displays asynchronuous' timing since 
it reacts on certain holding conditions whenever they might 
be true. By stating events and their connected places we can 
describe the asynchronuous timing easily. 

2. Ability to Show Dataflow in a System 

The combined consideration of timing and dataflow in 
a system has been accomplished by changing the original token 
meaning of Petri Nets into a data carrying message. This 
enables the methodology to exhibit currently available data 
at any stage of the process. 

3. Ability to Model Concurrency 

The inherent ability of Petri Nets to model 
concurrency by activating several places as the result of a 
transition is available in this work and provides a useful 
construct. 

4. Ability to Model Mutual Exclusion 

As it was shown in different examples it was possible 
to model mutual exclusion simply by incorporating a structure 
of control places into nets which allow only one access to 


the nets or to of parts of the nets at a time. 
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B. DISADVANTAGES 
The disadvantages of this methodology can be based on the 
properties of Petri Nets and the intended accuracy of the 
specifications. 
1. Complexity 
The given examples, though very simple and small! in 
their nature, exhibit a large complexity in stating the 
specification. This complexity is largely due to the details 
involved in the timing of systems and also to the attempt to 
handle data in the timing. The syntax presented is only one 
way of representing formal timing specification and it is 
very tedious for the user to deal with it, therefore a future 
implementation should provide an user interface which is easy 
to interact with, preferably in a graphical environment. 
2. Difficulty to Model Decisions 
Petri Nets by their nature are non-deterministic and 
so the specification methodology presented suffers from this 
disadvantage when we are forced to model decisions. The idea 
introduced of “external agents" helps to deal with this 


problem. 


C. FURTHER RESEARCH TOPICS 

This work has been a basic step in showing the 
possibility of specifying the time behavior of a computer 
jsystem. As further research topics we suggest the following 


areas: 
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Automation of this methodology to hide the complexity of 
the specification from the user by providing a graphical 
interface 


Provision of automated features which allow the user to 
make inquiries about the specified system, e.g. existence 
of deadlocks, history of invocations of certain subnets, 
trace of certain messages, etc. 


Development of tools which are able to analyze and 
compare the performances of different specifications 


Research in the area of timed Petri Nets where actions 
can be specified to be performed within a specified time 


Application of this methodology in the area of the newly 


developed computer systems using transputers’9 and their 
programming language OQCCAM 
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APPENDIX A; EDITED STATIC SEECG iG A eho 


THE ABSTRACT PREGESSOGn 


This edited specification of an Abstract Processor is 
based on the work of Yurchak (1984). It uses an improved 
syntax of Davis and Yurchak (1985) which is considered more 
meaningful. Also, some minor changes to correct errors have 
been made. The specification consists of two parts: the 
replacement statement which provide a_ shortcut for stating 
frequently used properties, and the specification of the 


various resources. 


replace(xX,S) 
"equivre!] (X;,S);" 
with 
PAL 1) = Serve () 
XCpej) ="XCi, 72>: 
implies(Cand(X (1, j),XCj,k)),X(1,Kk)) =strueQ- | 


replace(xX,5S) 
"reflexive(x,S);” 
with 
WC 1): Sere (oa 


replace(x,S) 
"commutative(xX,S);" 
with 
XGA is Ser ia) ae 


replace(X,5S) 
"transitive(x,S);" 
with 
"iamplies(and(X(i, j),X(j,k)),X(Ci,k)) = teueOore 


replace(X,S) 
"associative(x,S);" 
with 
"XCI,XCj, kK) ) =X Oe aD 


replace(xX,S) 
"irref lex ive CxX,so 
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with 
e@i i) = false) 3" 


replace(X,5S) 
peymmetric(xX, 5); 
with 
Bmolies(X¢€i, 3),X(j,1i)) = true ();" 


replace(xX,5) 
Y“antisymmetric(x,5S);" 

with 

"implies(and(X(i, j),X(j,i)), Ciz=j)) = true ();" 


replace(S,T) 
padopers(S,T);" 
with 
PetartTlT: -> S; 
mextT: S -> S&S; 
Brevyl: S -> 5S; 
pee:  S,5 -> bool;” 


replace(S,T) 
baidaxioms(S,T);" 
with 
"prevS(startT()) is undefined; 
prevS(nextS(i)) = 1; 
Pee i !'= startT() 
then 
nextS(prevS(i)) = i; 
endif; 
equivrel(¢eqS,S);" 


replace(S) 
"typingopers(S);" 
with 
"types: -> type; 
meeomotS: val -> S; 
marofsS: S -> val;" 


replace(S) 
"typingaxioms(S);" 
with 
"whattype(valofS(t)) = typeS(); 
aeomotrS(valofS(t)) = t; 
if whattype(v) = typeS() 


then 

valofS(atomofS(v)) = v; 
else 

atomofS(v) is undefined; 
emic it ;" 


replace(S,T) 


ad 


"“relopts, 1) % 
with 
"applyrop (ST ©), vi 2 a= 
valofboo! (TS(CatomofS(vi),atomofS(v2)));" 


replace(S) 
“tsops (SS) 34 


with 
"if whattype(v) = typeS() 
then 
applybop(isS(),v) = valofbool (true()); 
else 
applybop(isS(),v) = valofbool!l (false()); 
endif;" 


replace(S,T) 
"stateaxioms(S,T);" 
with 
"fetchS(a,initam()) is undefined; 
storeS(fetchS(a,q),a,q) = q; 
implies(eqT(al,a2),fetchS(al,storeS(v,a2,q)) = v) 
= true(); 
implies(not(eqT(al,a2),fetchS(al,storeS(v,a2,q)) = 
fetcnS(al,.q)) 9=struedq) 3" 


Resource boolean is 
Extension of 


Operand Types 
bool; 


Operators 
crue: mos DoOOd ; 
false: -> bool; 
not: )boo!l—> stool: 
and: bool!l,bool -> bool; 


Derived Operators 
Or: }bO00!,, Doe!) - > 4boa i: 
implies: bool], bool »-7ebeo! 


Derived Definition 
or(bi,b2) = notCand(not(bl1)) net cChZ eee 
implies(b1i1,b2) = not(Cand(b1l1,not(b2))); 


Properties 
false = not(true()); 
not(not(b)) = b; 
and(true(),b) = b; 
and(false(),b) = false(); 
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commutative(and, bool); 


end boolean; 


Resource natural is 


Extension of 
boolean 


Operand Types 


nat; 

Operators 
zeronat: -> nat; 
prednat: nat -> nat; 
succnat: nat -> nat; 
sumnat: nat,nat -> nat; 
mltnat: nat,nat -> nat; 
divnat: nat,nat -> nat; 
eqnat: nat,nat -> bool; 
gtnat: nat,nat -> bool; 


Derived Operators 


hinateonat,nat -> bool; 
genat: nat,nat -> bool; 
lenat: nat,nat -> bool; 
nenat: nat,nat -> bool; 


Derived Definition 
lItnat(n,m) = notCor(gtnat(n,m),egqnat(n,m))); 


genat(n,m) = 


lenat(n,m) 
nenat(n,m) 


not(ltnat(n,m); 
not(gtnat(n,m); 
notCeqnat(n,m) ; 


Properties 
prednat(zeronat()) is undefined; 
prednat(succnat(n)) = n; 
succnat(prednat(n) ) 
Sumnat(n, zeronat() ) 
sumnat(n,succnat(m)) = 


tL 
J 


succnat(sumnat(n,m));3 


subnat(n, zeronat()) = n; 
if gtnat(n,m) = true() 
then 
subnat(n,succnat(m)) = prednat(subnat(n,m)) ; 
else 
subnat(n,succnat(m)) is undefined; 
endif; 
mitnat(x, zeronat()) = zeronat(); 


mitnat(x,succnat(zeronat())) = x; 
mitnat(x,y) = sumnat(x,mlitnat(x, prednat(ly))); 
if eqnat(y,zeronat()) = true() 
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then 
divnat(x,y) is undefined; 

else if ltnat(x,y)) = Grue@ 

then 
divnat(x,y) 


else 
divnat(x, y) sumnat(succnat(zeronat(), 


divnat(subnat(x,y),y))3 


zeronat; 


endif; 

endif; 

eqnat(n,m) = eqnat(succnat(n), succnat(m) ); 
gtnat(succnat(n),n) = true(); 


equivrel Ceqnat, nat); 
irreflexive(gtnat, nat); 
irreflexive(ltnat, nat); 
transitive(gtnat, nat) ; 
transitive (ltnat, nat); 
transitive(genat, nat) ; 
transitive(lenat, nat); 
antisymmetric(genat, nat) ; 
antisymmetric(lenat, nat); 
symmetric(nenat, nat); 
commutative(sumnat, nat); 
commutative(mltnat, nat); 
associative(sumnat, nat); 
associative(mltnat, nat); 


end natural; 


Resource integer is 


Extension of 
boolean, 
natural 


Operand Types 
Int: 


Operators 
zerolnt<. => sige; 
ntol: Nat r=> int: 
iton: int => nat; 
Predint: int. s ince 
SUCCING: Win. eli 
SUMINE*> ints int —oin.. 
mleine: Waite mh Ce ene 
divint: int inteae eon. 
moaint: int.aint —> ene. 
eqint: int, int) —> Veeco, 
gtint: int int s-~eboolw. 
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Derived Operators 
eine: fmt, int -> Bool; 
Teintcmime, he —2 Doo! ; 
lca nctcaeemteint —> bool; . 
netniecelat, ine —2 bool; 


Derived Definition 
lItint(n,m) NGtCOmegerine(n,m),eqint (n,m) )); 
geint(n,m) not(ltint(n,m);3 
leint(n,m) not(gtint(n,m) ; 
neint(n,m) notCeqint(n,m); 


Properties 
predint(succint(n)) = n; 
succint(predint(n)) = n; 
ntoi(€zeronat()) = zeroint();3 


ntoi(€succnat(n)) = 
sumint(succint(zeroint()),ntoi(n)); 


iton(zeroint()) = zeronat(); 
' Gf Iltint(x,zeroint()) = true() 
then 
iton(x) is undefined; 
else 
iton(succint(x)) = sumnat( 
succnat(zeronat(),iton(x)));3 
endif; 
if ltint(x, zeroint()) = true() 
then 
absint(x) = subint(zeroint(),x);3 
else 
absint(x) = x; 
endif; 
sSumint(n, zeroint()) = n; 
sSumint(n, succint(m)) = succint(sumint(n,m)); 
subint(n, zeroint()) = n; 
subint(n,succint(m)) = predint(subint(n,m)); 
subint(n, succint(m)) is undefined; 
mitint(x, zeroint()) = zeroint(); 
mitint(x,succint(zeroint())) = x; 
mitint(x,y) = sumint(x,mltint(x, predint(y))); 
if eqint(y,zeroint()) = true() 
then 


divint(x,y) is undefined; 
else if ItintCabsint(x),absint(y)) = true) 
then 
Givint(x,y) = zeroint; 
else if or 
and(gtint(x, zeroint()), 
gtintly, zeroint())), 
and(ltint(x, zeroint()), 
Itint(y, zeroint())) 
) = true() 
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then 
divint(x,y) = sumint (suceine< zeroinvue 
divint(subint(x,y),y));3 
else 
divint(x,y) = sumint(predint(zeroint(), 
divint (sumint(%, y)35 7.20. 
endif; 
endif; 
endif; . 
if gtint(m, zeroint()) = true() 
then 
if Itint(n, zeroint()) = true() 
then 
modint(n,m) = modint(sumint(n,m),m); 
else 
modint(n,m) = subnat(n, 
miltnat(m, divint(n,m))); 
endif; 
else 
modint(n,m) is undefined; 
endif ; 
eqint(n,m) = eqint(succint(n), succint (moe 
@etint(succint(n),n? = true ©; 
equivrel (eqint, int) ; 
irreflexive(gtint, int); 
irreflexive(ltint, int); 
transitive Cgtint, ine; 
transitive(!ltint, int); 
transitive(geint, int); 
transitive(leint, int); 
antisymmetric(geint, int); 
antisymmetric(leint, int); 
symmetric(neint, int); 
commutative(sumint, int); 
commutative(mltint, int); 
associative(sumint, int); 
associative(mltint, int); 


end integer; 


Resource character is 


Extension of 
boolean 


Operands 
char; 


Operators 
"A’,'B" ,? CC’ 5. 5) Gi ee aie 


7a’, ' Db’, 7 Ol way” 2 aoe eho 
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tate Cemetery 2 BN 0? SP teh heh 8 2 > Char ; 

ae eet? ety? et, i? -> char;3 

ER I a nara er ee Aa char; 

Monee ae a= > Char: 

iar sy ae 95° 6B", 7? 8" »9? —O”" s -> char; 

NUL: -> char; 

Sri 7 ce man: 

STX: -> char; 

EXT: -> char; 

P@tsce—> ¢chars; 

ENG. .-> ‘char; 

ACK: -> char; 

BEEe) -> Char; 

note > Char: 

Mik > Char; 

Ere -> Char; 

Vi: -> Char; 

nee s> Char; 

Cre —> Ghar; 

SO: -> char; 

Sli > Char; 

DEE. => ‘Ghar; 

Dew: )-> char >? 

DeZzs => Char; 

Deo. -> Char; 

DC4: -> char; 

NAK: -> char; 

SiN: -> char; 

Een eer ->) char : 

CAN => char; 

Prien ->) Ghar ; 

SUSe—-> sehnar 5 

ESC: -> char; 

FS: -> char; 

Go. —> char: 

Roce -> Char; 

oi -> char; 

Son -> Char: 

Dela: -> char: 

eqchar: char,char -> bool; 

gtchar: char,char -> bool; 

Derived Operators 
ltchar: char,char ~> bool; 
gechar: char,char -> bool; 
lechar: char,char -> boo!; 
nechar: char,char -> bool; 


Derived Definition 
Itchar(n,m) = 
gechar(n,m) 
lechar (n,m) 


not(Cor(gtchar(n,m),eqchar(n,m))); 
not(itchar(n,m)); 
moe<etchar(n,m) ) ; 
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nechar(n,m) = notCeqchar(n,m)); 


Properties 


gtchar(DLE,” "2 = trueo,: 
gtchar(’ 7772) )) =) true @.; 
gtchar(”) 3" Om] truew., 
ftchar(’ 1%,’ {7 Je Mmruew:, 
gtcharG’ {’ ,"2°). =. 9ue Gm: 
gtchar(’ 2’ 5..." a 2 — Unuea:, 
gtehnar(’a’,’°*) =strue QO: 
gtchar(’”’? ,’ =") G="trve@: 
gtchart” _°,”-" )3= strue«.; 
gstchar€’"*);? 17 %s--" rue... 
gstchart’ 1”, 7) = teueo:: 
gtchart’”,’ tl") =] true; 
gtchar(’ (7, ’ 2’ y= true oe, 
gtChar (7 2" 3s sa A = ele Gon, 
gtchar(’A’,’@’) = true(); 
gtchar(’@”,’ 7" )) = true; 
gtchar(” 27,47 >7) == serue @) 
gtehar(’>”,° =") =strue (): 
gtchar(”s’,7<' )3= true ()- 
ptchar(" <*°3. Dust nue le: 
gtchart* s 32" 9) = true <<): 
gtchar(’ 2:°, 3) =struet): 
St enanr Sor yen © asa et Tue Co). 
gtchar ("07,77") == true): 
gtchart 77" ...2)-)— rue (> 
gtchar ©’ ." ..) =) = @rue ():; 
gtchart(’ =", 7," ). = true «.; 
gichar¢’. 4. +’. =} crue): 
gtenar(’ +: , 7’ *") = true t): 
gienar (” #7 ,') "> “= true (): 
gtieharG’ 2-4. Co) =] serue c)): 
gtchar(’ (*;, °"7)° = @ruec); 
gtchart’*’? ,’&’) = true"); 
gptchar (’ &™ 5° 2") = Crue. 
ptchart’”’,’S”’) = true: 
gtchar ('$",’°#’) = true OO. 
gtchar(’#’,°"") = true@Qe 
gtchar(’"™’,*’!?) = true@er 


gitchar<’ !",SP) =true cu): 
gtchar (Sh, US) = truce. 
gtchar(US,RS) = 
gtchar(kRS,GS) = true@e 
gtchar(GS,FS) = trueoe 
gtchar(FS, ESC) = true wm: 
gtchar(ESC,SUB) = true(); 
gtchar (Sub, EM) = erue oO 
gtchar(EM,CAN) = true(); 
gtchar(CAN, ETB) = true(); 
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Prenar (ETSS YN) true (); 


gtchar(SYN,NAK) = true(); 
gtchar (NAK,DC4) = true(); 
gtchar(DC4,DC3) = trued); 
gtchar(DC3,DC2) = trued); 
wecnar  (DCZ. bel) = true c); 
gtchar(DC1i,DLE) = true(d); 


gtchar(DLE,SI) = true (); 


gtchar(S!{,SO) = true(); 
gtchar(SO,CR) = true(); 
gtchar(CR,FF) = true(); 
gtchar(FF,VT) = true(); 
gtchar(VT,LF) = true(); 
gtchar(LF,HT) = true(); 
gtchar(HT,BS) = true(); 


gtchar(BS, BEL) = true(); 


gtchar(BEL,ACK) = true(); 
gtchar(ACK,ENQ) = true(); 
gtchar(ENQ,EOT) = true(); 
gtchar(CEQT,ETX) = true(); 
gtchar(ETX,STX) = true); 
gtchar(STX,SOH) = true(); 
gtchar(SOH,NUL) = true(); 


equivre! Ceqchar, char); 
irreflexive(gtchar, char); 
transitive(gtchar, char); 
irreflexive(ltchar, char); 
transitive(]tchar,char) ; 
transitive(gechar, char); 
transitive(lechar)char); 
antisymmetric(gechar,char); 
antisymmetric(lechar,char); 
Symmetric(nechar); 


end ; 


Resource string(telelment) is 
Parameter element is 


Extension of 
boolean 


Operands 
Im; 


Operators 
eqim: Im,lm -> bool; 
gtim: Im,Im -> bool; 


Derived Operators 


By 


ltim: Im, |m -> boc, 
gelm: Im, Im -> bool; 
lelm: Im,lm -> bool; 
nelm: Im,im -> book: 
Derived Definition 
Itlm(n,m) not(Cor(gtim(n,m),eqintn, moos 


not CltlIm(n, mo 
not(gtIlm(n,m)); 
notCeqim(n,m)) ; 


gelm(n,m) 
lelm(n,m) 
nelm(n,m) 


Properties 
equivrel(Ceqim, im); 
irreflexive(€gtIim, 1m); 
transitive(gtIim, im); 
irreflexive(C|!ltIm, 1m); 
transitive (ltim, 1m); 
transitive(gelm, Im); 
transitive(lelm)1m);3 
antisymmetric(gelm, 1m); 
antisymmetric(lelm, Im); 
symmetric(nelm) ; 


Extension of 


natural; 
boolean; 


Operands 


Str. im; 


Operators 


=> Streim-; 

lm => (‘st re iom:- 
Str.im => nae; 

Str. im -—> elm; 

Str. 1m = eset .im: 
str.lm,str.im —> fsitro om. 
Sstr.im,strn. im —-> soeot, 
str.im,str.im —-> boeolk 


nul istr. lim: 
makestr.Im: 
lenstr. Im: 
headstr.I1m: 
tailstr.Im: 
catstr.Im: 
eqstr.im: 
etser. Um: 


Derived Operators 


ltstr.lm: str.im,;str vim —> jbo. 
gestr.lilm: str.lm,str.lm -> boon, 
lestr.Im: str.im,str.im -—> boale 
nestr.Im: str.Ilm,str.Im -> bool; 


Derived Definition 
Itstr.Ilm(n,m) 


notCor(gtstr. lm(n,m), eqstr. im nme. 


gestr.Im(n,m) 
lestr.Im(n,m) 
nestr.Ilm(n,m) 


Properties 


not¢ltstr.Ilm(n,m)); 
not(gtstr. lmOn, moe 
notCeqstr.Im(n,m)); 
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lenstr.Im(nullstr.Iim()) = zeronat(); 
lenstr. Im(makestr.Im(1)) = succenat(zeronat()); 
lenstr.Im(catstr.Iim(si,s2)) = 
sumnat(lenstr.Ilm(si), lenstr. Im(s2)); 
headstr. Ilm(makestr.Im(1)) = 13 
tailstr.Im(makestr.Im(1)) = nullstr.Im(); 
headstr.Im(catstr.Ilm(makestr. Ilm(l),s)) 
tailstr.Im(catstr. lm(makestr.Im(1l),s)) 
headstr.Im(nullstr.Im()) is undefined; 
tailstr.Im(nullstr.Im()) = nullstr.Im() 
catstr.Im(catstr.Iim(si,s2),s3) = 
catstr.Im(si, catstr.lm(s2,s53)); 
catstr.Im(nullstr.Im(),s) = catstr. lm¢ 
s,nullstr.Im()) = s;3 
implies(Ceqim(11,12),eqstr.Im(makestr.Im(11), 
makestr.Im(12))) = true ();3 
implies(gtIm(11,12), gtstr. Im(makestr.Im(11), 
makestr.Ilm(12))) = true(); 
gtnatClenstr.Iim(makestr.Im(1), 
lenstr.Iim(nullstr.Im()) = true(); 
implies(gtnat(lenstr.Im(si), lenstr.Im(s2)), 
gtstr,im(si,sZ2) = true); 


we 


l 
Ss 


we 


if lenstr.Im(si1) != zeronat() 

then 
Scimauccrenstr. |lmCcatstr. Ilm(si,s2Z), 
lenstr.Im(s2) = true(); 

else 
eqnat(lenstr.Iim(catstr.Im(s1,s2), 
lenstr.Im(€s2) = true(); 

end it 


equivrelCeqstr.Im,str.Im); 
irreflexive(gtstr.Im,str.Im); 
eramsrtive(gtstr.im,str.Iim?); 
irreflexive(Itstr.Im,str.I1m);3 
transitive(|!ltstr.Im,str.Ilm); 
transitive(gestr.Im,str.Im); 
transitive(lestr.Iim)str.Im); 
antisymmetric(gestr.Im,str.I1m); 
antisymmetric(lestr.Im,str.Ilm); 
symmetric(nestr.Iim,str.I1m); 


end string(element); 


Resource string(character) is 


where 
Im = char; 


nullstr.char = nullstr.Im; 
makestr.char = makestr.Im; 


len.char = lenstr.I1m; 
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head.char = headstr.I1m; 


tail.char = tallstr arn, 
cat.char = catstr.Iim; 
eq.char = eqstr.I1m; 
gt.char = gtstr.I1m; 


lt.char =" Testraim; 


ge.char = gestr.I1m; 
le.char = lestr.Im; 
ne.char = nestr.I1m; 


end string(character) ; 


Resource identifiers is 


Extension of 
boolean 


Operands . 
memid; 
Regia: 
stkid; 
fig: 


Operators 
idopers(memid,memsem) ; 
idopers(redid,regseg); 
idopers(stkid,stkseg) ; 
idopers(fid.fseg); 


Properties 
idaxiom(memid,memseg) ; 
idaxiom(regid, regseg) ; 
idaxiom(stkid,stkseg); 
idaxiom(fid, fseg); 


end ; 


Resource memaddress is 


Extension of 
identifiers, 
boolean 


Operands 
memaddr; 


Operators 
startmemaddr: memid -> memaddr; 
nextmemaddr: memaddr -> memaddr; 
prevmemaddr: memaddr -> memaddr; 


ao 


getmemid: memaddr -> memid; 
offset: int,memaddr -> memaddr; 
eqmemaddr: memaddr,memaddr -> bool; 


Properties 
prevmemaddr(startmemaddr(i)) is undefined; 
prevmemaddr(nextmemaddr(m)) = m; 
nextmemaddr(prevmemaddr(m)) = m; 
offset(succint(n),m) = nextmemaddr(offset(n,m)); 
if offset(n,m) = startmemaddr() 
then 
offset(predint(n),m) is undefined; 
else 
offset(predint(n),m) = prevmemaddr(offset(n,m)); 
endif; 
eqmemid(i, getmemid(offset(n, startmemaddr(i)))) = 
true(); 


eqmemaddr(startmemaddr(il),startmemaddr(i2)) = 
eqmemid(i1l,i2); 

eqmemaddr(startmemaddr(i),nextmemaddr(a)) = false (); 

eqmemaddr (nextmemaddr(al),nextmemaddr(a2)) = 
eqmemaddr(al,a2); 

offset(zeroint(),m) = m; 

eqivrel (eqmemaddr,memaddr); 


end memaddress ; 


Resource regaddress is 


Extension of 
identifiers, 
boolean 


Operands 
regaddr; 


Operators 
startregaddr: regid -> regaddr; 
nextregaddr: regaddr -> regaddr; 
prevregaddr: regaddr -> regaddr; 
getregid: regaddr -> regid; 
eqregaddr: regaddr,regaddr -> bool; 


Properties 
prevregaddr(startregaddr(i)) is undefined; 
prevregaddr(nextregaddr(m) ) m ; 
nextregaddr (prevregaddr(m) ) Mm ; 


eqregaddr(startregaddr(il),startregaddr(i2)) = 
eqregid(i1l,i2); 
eqregaddr(startregaddr(i),nextregaddr(a)) = false(); 


ol 


eqregaddr(nextregaddr(ai),nextregaddr(a2)) = 
egqregaddr(ail,a2); 


eqivrel (eqregaddr, regaddr); 


end regaddress; 


Resource stkaddress is 


Extension of 
identifiers, 
boolean 


Operands 
stkaddr; 


Operators 
getstkid: stkaddr -> stkid; 
eqstkaddr: stkaddr,atkaddr -> bool; 
Properties 
eqstkaddr(nextstkaddr(ai),nextstkaddr(a2)) = 
eqstkaddr(al,a2); 
equivrel (eqstkaddr,stkaddr) ; 


end stkaddress ; 


Resource files is 
Extension of 
identifiers, 


boolean 


Operands 
files 


Operators 
getfile: fid => 4c. 
eqfile: file, file =~ boeol; 
Properties 
eqfile(getfile(il), getfile(i2)) = eqfile(iil,i2); 
equivrel(eqfile,file); 
end files; 


Resource operatorclasses is 


Extension of 


SZ 


Operands 
MOP; 
dop; 
top; 
qop; 
SOP; 
OOp; 
rop; 
bop; 


Operators 
Properties 
end operatorclasses; 
Resource instructiontype is 
Extension of 


Operands 
ias tr ; 


Operators 
Properties 
end intructiontype; 
Resource typing is 


Extension of 
boolean; 
natural; 
integer; 
character; 
string(character) ; 
identifiers; 
memaddress;3 
regaddress; 
stkaddr; 
files; 
operatorclasses; 
Paeructiontype; 


Operands 


type; 
val; 


Operators 
typingopers(bool); 
typingopers(nat); 
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typingopers(int); 
typingopers(char) ; 
typingopers(str.char)); 
typingopers(memid) ; 
typingopers(regid); 
typingopers(stkid); 
typingopers(fid); 
typingopers (memaddr) ; 
typingopers(regaddr); 
typingopers(stkaddr); 
typingopers(file); 
typingopers(mop); 
typingopers(dop); 
typingopers(top); 
typingopers(qop); 
typingopers(sop) ; 
typingopers(oop) ; 
typingopers(rop); 
typingopers(bop); 
typingopers(instr); 


whattype: val -> type; 
eqtype: type,type -> bool; 


Properties 
typingaxiom(boo!); 
typingaxiom(nat) ; 
typingaxiom(Cint); 
typingaxiom(char); 
typingaxiom(str.char) ; 
typingaxiom(memid) ; 
typingaxiom(regid) ; 
typingaxiom(stkid) ; 
typingaxiom(fid); 
typingaxiom(memaddr); 
typingaxiom(regaddr); 
typingaxiom(stkaddr); 
typingaxiom(file); 
typingaxiom(mop) ; 
typingaxiom(dop) ; 
typingaxiom(top); 
typingaxiom(qop); 
typingaxiom(sop) ; 
typingaxiom(Coop) ; 
typingaxiom(rop); 
typingaxiom(bop) ; 
typingaxiomCinstr);3 
equivrel Cinstr); 


end typing; 
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Resource operators is 


Extension of 
operatorclasses, 


‘typing 
Cperands 


Operators 
boolnot: -> mop; 
booland: -> dop; 
bo@!@an:, => cop; 
natpred: -> mop; 
HNavewce: —> Mop; 
natsum: -> dop; 
natsub: -> dop; 
nateq: me > rop; 
Nake: =2 rap; 
Natweees: — > OID; 
intpred: -> mop; 
inNesuce: => mop; 
Pieasss a -- Map; 
intnecot: => mop; 
intiton: -> mop; 
intsum: -> dop; 
Piesuo:s —-> Gop; 
Piemi ts -> GOP; 
imMbadey s => dOp; 
imeonca:  —> dap; 
ivceg:s-> rap; 
mnueet e-> Trop; 
iti ts => Trop; 
ehareq: -> rop; 
chargt: -> rop; 
charmakestr: -> mop; 
eharstrlen: => mop; 
charheadstr: -> mop; 
enambailistr: -> mop; 
charcatstr: -> dop; 
str.chareq: -> rop; 
Sthaecmargt: -> rop; 
MS pD@anls => bop; 
isnat: -> bop; 
lsime: => bop; 
mSeCmarc:) —>? bop; 
msostr.cmar: -> DOp; 
ismemid: -> bop; 
isregid: -> bop; 
isstkid: -> bop; 
mStiid: => bep; 
ismemaddr: -> bop; 
isregaddr: -> bop; 


isstkaddr: -> bop; 
isfile: -> bop; 
ismop: => oop, 
isdep: => bon; 
istoOp: > oer, 
1Sqdop: > cor, 
issop: +> bop; 
iSOOD + -> DoD; 
[Sr Op? .a> eben: 
isbop: => bop; 
isinstr: —-> bop, 


applymop: mop,val -> val; 

applydop: don, vali vale-~ vole, 

applytop: top,val,val,val -> vals 

applyqop: qop,val,val,val,val -> val; 
applysop: sop,val,val,val,val,val -> val; 
applyoop: oop,val,val,val,val,val,val -> val; 
applyrop: rop,;val,val -> vale 

applybop: bop, wal —> val; 


Properties 
applymop(boolnot(),v) = valofbool (not Catomofbool (v)); 
applydop(booland(),vi,v2) = valofbool ¢ 
andCatomofbool(vi),atomofbool(v2)); 
applydop(boolor(),vi,v2) = valofboo!l ¢ 
orCatomofbool (vi), atomofbool(v2)); 
applymop(natpred(),v) = valofnat( 
prednat(atomofnat(v)); 
applymop(natsucc(),v) = valofnat( 
succnat(atomofnat(v)); 
applydop(natsum(),vi,v2) = valofnat( 
sumnat(Catomofnat(v1),atomofnat(v2)); 
applydop(natsub(),v1,v2) = valofnat( 
subnat(atomofnat(vi),atomofnat(v2)); 
applymop(Cintpred(),v) = valofint( 
predint(atomofint(v)); 
applymop(intsucc(),v) = valofint(¢ 
Succint (atomot int (vy); 
applymop(intabs(),v) = valofint( 
absint(atomofint(v)); 
applymop(intntoi(),v) = valofint( 
Ntolint (atomofint(v.) - 
applymopCintitont),v) - valotince 
1tenint Catomotine ty)» 
applydop(Cintsum(),vi,v2) = valofint( 
sumint(atomofint(v1),atomofint(v2)); 
applydop(intsub(),v1,v2) = valofint( 
subint(atomofint(vl1),atomoftfinw v2 es 
applydopCintm!lt(),v1,v2) = valence 
miltintCatomofint(vl), atomotfinte v2 >... 
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applydopCintdiv(),v1,v2) = valofint( 
divint(atomofint(vi1),atomofint(v2));3 

applydop(intmod(),vi,v2) = valofint( 
modint(Catomofint(v1),atomofint(v2)); 


applymop(charstrlen(),v) = valofnat( 
lenstr.char(atomofstr.char(v))); 
applymop(charmakestr(),v) = valofstr.char ( 


makestr.char(atomofchar(v)));3 

applymop(charheadstr(),v) = valofchar ( 
headstr.char(atomofstr.char(v)))3;3 

applymop(chartailstr(),v) = valofstr.char( 
tailstr.char(atomofstr.char(v))); 

applydop(charcatstr(),vi,v2) = valofstr.char ( 
catstr.char(atomofstr.char(vi), 
atomofstr.char(v2)));3 

relop(nat,eq); 

relop(nat, gt) ; 

relop(nat, !t); 

relop(int, eq) ; 

relop(int, gt); 

relop(int,!t); 

relop(char,eq) ; 

relop(char, gt); 

relop(str.char,eq); 

relop(str.char, gt); 

isops(bool); 

isops(nat); 

isops(int); 

isops(char) ; 

isops(str.char);} 

isops(memid) ; 

isops(regid); 

isops(stkid); 

isops(fid); 

isops (memaddr) ; 

lisops(regaddr); 

isops(stkaddr); 

isops(file); 

isops(mop);3 

isops(dop) ; 

isops(top); 

isops(qop) ; 

isops(sop); 

isops (oop) ; 

isops(rop); 

isops(bop); 

isops(Cinstr); 


end operators; 


=i 


Resource intructions is 


Extension of 
natural, 
integer, 
memaddress, 
regaddress, 
stkaddress, 
operatorclasses, - 
intructiontyoe, 


typing 
Operands 


Operators 

Okes: =O inser: 

extern: -> instr; 

globl: -—>- inser; 

Moecgin: =? inser: 

mend: -> instr; 

oeffst: int,regaddr [> inser; 

link: regaddr, nat) -> i1nsen; 

unlink: regaddr -> instr; 

monads: mop,regaddr -> instr; 

monad: mop,regaddr,regaddr -> instr; 

monadi: mop,val,regaddr -> instr; 

dyads: dop,regaddr, regaddr =>) insets. 

dyadsi: dop,val,regaddr -> instr; 

dyad: dop,regaddr,regaddr,regaddr -> instr; 

dyadi: dop,val,regaddr,regaddr -> instr; 

triads: top,regaddr,regaddr,regaddr -> instr; 

triadsi: top,val,regaddr,regaddr -> instr; 

triad: top,regaddr,regaddr, regaddr,regaddr -2>.1nseo 

triadi: top,val,regaddr,regaddr,regaddr -> insen,; 

quads: qop,regaddr,regaddr,regaddr,regaddr -> instr; 

quad: qop,regaddr,regaddr,regaddr, 
regaddr,regaddr -> instr; 

sexads: sop, regaddr,regaddr,regaddr, 
regaddr,regaddr,regaddr -> instr; 

sexad: sop,regaddr,regaddr,regaddr,regaddr, 
regaddr,regaddr,regaddr -> instr; 

octads: oop,regaddr,regaddr,regaddr, regaddr, 
regaddr,regaddr,regaddr,regaddr -> instr; 

octad: oop,regaddr,regaddr,regaddr,regaddr, 
regaddr,regaddr,regaddr,regaddr,regaddr -> instr; 

movi_m: val,memaddr -> instr; 

movi per: val, ings ceinst ss. 

movi_r: val,regaddr => Instn, 

movi ri: val, regaddnr es sinse, 

movi_rid: val,regaddr,int -> instr; 

movi_ridn: val,regaddr,nat, int) ot ncen, 

mov_m_m: memaddr,memaddr -> instr; 
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mov_m_r: memaddr,regaddr -> instr; 

mov_m_ri: memaddr,regaddr -> instr; 

mov_m_rid: memaddr,regaddr,int -> instr; 

mov_m_ridn: memaddr,regaddr,nat,int -> instr; 

MoV epCreper aint, int —7e instr ; 

mMOVoPCcr an: ime. regaddr —-> instr; 

MOV sper shim int, regaddr —-> instr; 

nmOVepCraricass int, resaddr, int —> instr; 

MOVvaPpecrunlanesint,regaddr, nat,int -> instr; 

mov_r_m: regaddr,memaddr -> instr; 

NMevwere Perm resaddr, int W=> instr ; 

mov_r_r: regaddr,regaddr -> instr; 

mov_r_ri: regaddr,regaddr -> instr; 

mov_r_rid: regaddr,regaddr,int -> instr; 

hovereriadn: regagddr, regaddr,nat,int -> instr; 

mov_ri_m: regaddr,memaddr -> instr; 

mover! per: —regaddr, int => instr; 

mov_ri_r: regaddr,regaddr -> instr; 

mov_ri_ri: regaddr,regaddr -> instr; 

mov_ri_rid: regaddr,regaddr,int -> instr; 

mov_ri_ridn: regaddr,regaddr,nat,int -> instr; 

mov_rid_m: regaddr,int,memaddr -> instr; 

NeOVvennea per: rTregaddr, int,int -> instr; 

mov_rid_r: regaddr,int,regaddr -> instr; 

mov_rid_ri: regaddr,int,regaddr -> instr; 

mov_rid_rid: regaddr,int,regaddr,int -> instr; 

mov_rid_ridn: regaddr, int,regaddr,nat,int -> instr; 

mov_ridn_m: regaddr,nat,int,memaddr -> instr; 

mov_ridn_pecr: regaddr,nat,int,int -> instr; 

mov_ridn_r: regaddr,nat,int,regaddr -> instr; 

mov_ridn_ri: regaddr,nat,int,regaddr -> instr; 

mov_ridn_rid: regaddr,nat,int,regaddr,int -> instr; 

mov_ridn_ridn: regaddr,nat, int, regaddr,nat, 
Pier > ins cr: 

push_i: val,stkaddr -> instr; 

push_m: memaddr,stkaddr -> instr; 

push_pcr: int,stkaddr -> instr; 

push_r: regaddr,stkaddr -> instr; 

push_ri: regaddr,stkaddr -> instr; 

push_rid: regaddr,int,stkaddr -> instr; 

push_ridn: regaddr,nat,int,stkaddr -> instr; 

POpex-) Stkadar -—> instr; 

pop_m: stkaddr,memaddr -> instr; 

POp per: stkaddr,int -> instr; 

pop_r: stkaddr,regaddr -> instr; 

pop_ri: stkaddr,regaddr -> instr; 

pop_rid: stkaddr,regaddr,int -> instr; 

pop_ridn: stkaddr,regaddr,nat,int -> instr; 

mops =o. 1nSurs 

Som. => instr: 

jmp: memaddr -> instr; 

jmp_i: memaddr -> instr; 
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jmpir: fegaddr -—> inset... 

bra: int) osteo. 

bra_r: regaddr -> instr; 

if: relop,regaddr,regaddr,memaddr -> instr; 
ifi: relop,regaddr,val,memaddr -> instr; 
ifte: relop, regaddr,regaddr,memaddr,memaddr 
iftei: relop,regaddr,val,memaddr,memaddr -> 
if per: relop,regaddr, regaddr,int => sincsct.. 
ifi_per: relop,regaddr, val, int) —2 ansoe, 


-> insta 
instre 


ifte_per: relop,regaddr,regaddr, int, int ->eimocrm, 
iftei_per: relop, regaddr,val,int, int —-2 as em 


test: bop,regaddr,memaddr -> instr; 
testm: bop,memaddr,memaddr -> instr; 


teste: bop,regaddr,memaddr,memaddr -> instr; 


testme: bop,memaddr,memaddr,memaddr -> instr; 


test_per: bop,regaddr,int -> 1msce, 
testm_pcr: bop,memaddr,int -> instr; 
teste per: bop,regaddr,int, int. 2 eunstay 
testme_pcr: bop,memaddr,int,int -> instr; 
jsr: memaddr,stkaddr -> instr; 

jsr_i: memaddr,stkaddr -> instr; 

jsr_r: regaddr,stkaddr -> instr; 

bsr: int,;stkaddr’—-> instr: 

bsr-r: regaddr,stkaddr -> instr; 

rts: stkaddr -> instr; 

open: stkaddr -> instr; 

close: stkaddr =-2 inser: 

read: stkaddr -> instr; 

write: stkaddr -> instr; 


Properties 


end intructions; 


Resource amstate 


Extension of 
boolean, 
natural, 
integer, 


is 


str(character), 
memaddress, 
regaddress, 


files, 


identifiers, 


typing 


Operands 
state; 


Operators 
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fetchm: memaddr,state -> val 
fetchr: regaddr,state -> val 
storem: val,memaddr,state -> state; 

storer: val,regaddr,state -> state; 

initam: -> state; 

initstk: stkaddr,state -> state; 

topstk: stkaddr,state -> val; 

pushstk: val,stkaddr,state -> state; 

popstk: stkaddr,state -> state; 

lalloc: nat,state -. memid; 

lfree: memid,state -> state; 

indir: nat,memaddr -> memaddr; 

infile: file,state -> val; 

outfile: val,file,state -> state; 

openfile: str.char,file,int,int,state -> state; 
closefile: file,state -> state; 

Emode: -> “lme: 

wmode: -> int: 

rwmode: -> int: 

openerr: -> int; 

openok: -> int; 

valdata: -> int; 

ehardatacs-> 1nht-: 


we Se 


active: memid,state -> bool; 


Properties 
topstk(s,initstk(s)) is undefined; 
popstk(s,initstk(s)) is undefined; 
popstk(s,initam()) is undefined; 
stateaxiom(m, memaddr); 
stateaxiom(r, regaddr); 
topstk(s(pushstk(v,s,q)) = v; 
popstk(s(pushstk(v,s,q)) = q; 


active(m,initam()) = false(); 
active(lalloc(n,q)q) = true(); 
actice(m,!free(m,q)) = false(); 
active(m,storer(v,r,q)) = active(m,q); 
active(m,storem(v,a,q)) = active(m,q); 
active(m, initstk(s,q)) = active(m,q); 
active(m, pushstk(v,s,q) = active(m,q); 
active(m, popstk(s,q) = active(m,q); 
active(m, outfile(v,f,q) = active(m,q); 
active(m,openfile(s,f,x,y,q) = active(m,q); 
active(m,closefile(f,q) = active(m,q); 
if active(m,q) = false() 
then 

fetchm(offset(n,m),q) is undefined; 
endif: 
if active(m,q) = false(); 
then 


storem(v,offset(n,m),q) is undefined; 
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endif; 
if Itint(n, ntoei (m2) ee eee 
then 
offset(n,offset(nl, startmemadar¢ 
lalloc(n2,q)))) = 
offset(suminti(n,ni), 
startmemaddr(lalloc(n2,q))); 
else 
offset(n,offset(ni, startmemadar (¢ 
lalloc(n2,q)))) is undefined; 


engi tf: 

indir(zeronat(),m) = m; 

if whattype(fetchm(indir(n,m),q) = typememaddr() 
then 


indir(succnat(n),m) = 
atomofmemaddr(fetchm(indir(n,m),q)); 

else 

indir(succnat(n),m) is undefined; 
endif; 
openfile(s,f,n,openfile(s,f,m,x,q)) is undefined; 
closefile(fCopenfile(s,f,n,x,q)) = q; 
infile(f,initam()) is undefined; 
infiletf,clhose(f,q))> is undefined: 
infile(f,openfile(s,f,wmode(),x,q)) is undefined; 
outfile(v,f,initam()) is undefined; 
outfile(v,f,close(f,q)) is undefined; 
outfile(v,f,openfile(s,f,rmode(),x,q)) is undefined; 
outifle(v,f,openfile(s,f,m, chardata(),q)) 

is undefined; 


end amstate; 


Resource am is 


Extension of 
memaddress, 
intructiontype, 
typing, 
amstate 


Operands 
prog: memaddr,state -> state; 


cond: val,memaddr,memaddr - memaddr; 
exq: instr,memaddr,state -> state; 


Operators 
prog(m,q) = exq(fatomofinstr(fetchm(m,q)),m,q); 
cond(valofbool(true(),mi,m2)) = mi; 


cond(valofboll(false(),mi,m2)) = m2; 


1@2 


Properties 
exq(offst(i,r),m,q) = 
prog(nextmemaddr(m), 
storer (¢ 
valofmemaddr (offset ( 
i.atomofmemaddr(fetchr(r,q)))), 
r,qQ)); 
exq(link(r,n)m,q) = 
prog(nextmemaddr(m), 
storer ( 
valofmemaddr(startmemaddr(lalloc(n,q))), 
r, storem(fetchr(r,q), 
startmemaddr(lalloc(n,q),q))));3 
exq(unlink(r),m,q) = 
prog(nextmemaddr(m), 
lfree( 
getmemid(atomofmemaddr(fetch(r,q))), 
storer ( 
fetchm(atomofmemaddr(fetchr(r,q),q), 
eos 
exq(monads(o,ri),m,q) = 
prog(nextmemaddr(m), 
storer(applymop(o,fetchr(ri,q)), 
ride. 
exq(monad(o,ri,r2),m,q) = 
prog(nextmemaddr(m), 
storer(applymop(o,fetchr(ri,q)), 
E2,40) 33 
exq(monadi(to,v,ri),m,q) = 
Prog(nextmemaddr(m), 
storer(applymop(o,v)),r1,q)); 
exq(dyads(o,ri,r2),m,q) = 
prog(nextmemaddr(m), 
storer(app! ydop( 
Oerowemn nid), totenr(rz,g)),r2,q)); 
exq(dyadsi(to,v,ri)m,q) = 
prog(nextmemaddr(m), 
Stone Capprnyeomcvy, recenr(rl,q)),ri,q)); 
exq(dyad(o,ri,r2,r3),m,q) = 
prog(nextmemaddr(m), 
storer(applydop(o, 
PouGMmeriwd), RetGnrirz,@)),r3,q));3 
exaqCayadi(Co,v,ri,r2),m,q) = 
prog(nextmemaddr(m), 
storer(applydop(o, 
vetetenn ents a) ),r2, qi); 
exq(triads(o, PY, r2,r3),m,q) = 
prog(nextmemaddr(m), 
Stores Gapplytap ta, fretchr(ri,a), 
foci. hetchin (rs, @) ),r3,q)) ; 
Exc G@eriaesi (O,V,6r!i,6r2),m,q) = 
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prog(nextmemaddr(m), 
storer(applytop(o,v, 
fetchr(ri,q), fetehr(rZ, qo 39 eZee 
exq(triad(o,ri,r2,r3,r4),m,q) = 
prog(nextmemaddr(m), 
storer(applytop(o,fetchr(ri,gq), 
fetchr(r2,q), fetchr (rs, q70, race 
exq(triadi(o,v,r1, 2, fso),0, 4 7 
prog(nextmemaddr(m), 
storer(applytop(o,v, 
fetchr(ri,q), fetcnr(rZ.0 00). -. 4s 
exq(quads(o,ri,r2,r3,r4),m,q) = 
prog(nextmemaddr(m), 
storer(applyqop(o,fetchr(ri,q), 
fetchr(rZ,q), fetenrCrs.a 
fetchr(r4,oq), raya". 
exgq(quad(o, ri, PZ, rs, 74, tS) ym 
prog(nextmemaddr(m), 
storer(applyaqop (oe, fetenncrl av. 
fetchr(rz2,q ),fetenr (i s,al, 
fetenr(r4, 4)57S,,400): 
exq(sexads(o,7T1,rZ,r3,f4,0o, 85... 4 
prog(nextmemaddr(m), 
storer(applygqop(o,fetchr(ri,q), 
fetchr(rZ, q), fe vennGro, 4a, 
fetchr(r4,q), fetenr es, qo, 
fetch (rs,oq),rG,aeP. 
exq(Sexad(o,rl,rZ,r3,r4,rS,06)5 7 0c 
prog(nextmemaddr(m), 
storer(Capplyqop(o;tetenn Grieg. 
fetchr(r2Z,q), fetenrwore.c., 
fetchr(r4, gq), fetenr tro ace. 
fetcn(r6, q),2 77 cro 
exqCoctads(o,ri,r2,r3, r4, 7S, 6S, 07,65 or eee 
prog(nextmemaddr(m), 
storer(Capplyqop(o, fetenr<«n.. av. 
fetchr(rZ,q>, fetenr Css ..c. 
fetchr(r4,q), fetens Gao, cap 
fetch(r6,q), fetenrG 7a, 
fetchr(r&; oq), 6S, oon 
exqCoctad(o,rl1,r2,r3, r4,r65, 7S, 07, 6on 62 al oe ee 
prog(nextmemaddr(m), 
storer(Capplygqop(o, fetehr ana. 
fetchr(r2Z,q), fetechrer sae 
fetchr(r4,q), fetehrers. ce. 
fetch(r6,q),fetenn en. ce 
fetchr(r8,q),r9,q)); 
exq(movi_m(v,m1),m,q) = 
prog(nextmemaddr(m), 
storem(v,mi,q)); 
exq(movi_per(v,29, m,a a= 
prog(nextmemaddr(m), 
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storem(v,offsieet(i,m),q)); 
exq(movi_r(v,r),m,q) = 
prog(nextmemaddr(m), 
storem(v,r,q))}3 
exq(movi_ri(v,r),m,q) = 
prog(nextmemaddr(m), 
storem(v,atomofmemaddr(fetchr(r,q),q)); 
exq(movi_rid(v,r,n),m,q) = 
prog(nextmemaddr(m), 
storem(v,offset( 
n, atomofmemaddr(fetchr(r,q),q)); 
Sexa(moviarvdndy,), it,12),m,q) = 
prog(nextmemaddr(m), 
storem(v,offset(i2, indir ( 
i1,atomofmemaddr(fetchr(r,q),q)); 


exq(mov_m_m(m1,m2),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(m1,q),m2,q)); 
exq(mov_m_r(m1l,r),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(mi,q),r,q)); 
exq(mov_m_ri(ml,r),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(ml1,q), 
atomofmemaddr(fetchr(r,q),q)); 
exq(mov_m_rid(ml,r,n),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(m1,q),offset( 
n, atomofmemaddr(fetchr(r,q),q)); 
Srau@mevemnaoriencmi, rr, il, iZ),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(m1l,q),offset(i2, indir 
il,atomofmemaddr(fetchr(r,q),q)); 


exqneaveper pertil,iz),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(offset(il,m),q), 
offset(i2,m),q)); 
exq(mov_per_ r¢(il,r),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(offset(Ciil,m),q),1r,q)); 
exatmovy per ritii,r)d),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(offset(il,m),q), 
atomofmemaddr(fetchr(r,q),q)); 
Sx (ieavmpechmenri1Gd (itor. 12),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(offsetCil,m),q),offset¢ 
iZ@pyavonatmemadar(fetchr(r,aq),q)); 
exqcneveperenridntil sr,n,i2),m,q) = 
prog(nextmemaddr(m), 


iOS 


storem(fetchm(offset(i1l,m),q),offset(i2, 
indir (n, atomofmemaddr(fetechr ?, 4) ae., 


exq(mov_r_m(ri,mi),m,q) = 
prog(nextmemaddr(m), 
storem(fetchr(rl,q) 7mece: 
exq(mov_r_per(r1,i),m,q) = 
prog(nextmemaddr(m), 
storem(fetchr(ri,q), oi iset(i,m 7a, 
exq(mov_r_or(ri,r2),m,q) = 
prog(nextmemaddr(m), 
storem(ifetenr(rl, ao, rz, ce, 
exq(mov_r_ri(riyeZz. nm, 4 — 
prog(nextmemaddr(m), 
storem(fetchr(ri,q), 
atomofmemaddr(fetchr(r2,q),q));3 
exq(mov-r rid(rl, r2,n), c= 
prog(nextmemaddr(m), 
storem(fetchr(ri,q),offset( 
n,atomofmemaddr(fetchr(r2,q),q)); 
exq(mov_r_ridnt(rl, r2,11 542) ce 
prog(nextmemaddr(m), 
storem(fetchr(ri,q),offset(i2, indir ¢ 
i1,atomofmemaddr(fetchr(r2,q),q)); 


exq(mov_ ri mre, m1). mn, oo 
prog(nextmemaddr(m), 
storem(fetchm(atomofmemaddr(fetchr(ri,q),q), 
mi, qo 
exq(mov_ri_per(ri,i)d,m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(atomofmemaddr(fetchr(r1,q),q), 
offset Gi, mm); qa): 
exgq(movy_ Flo rtrl 72m, 4 
prog(nextmemaddr(m), 
storer(fetchm(atomofmemaddr(fetchr(ri,q),q), 
r2Z,.405- 
exq(mov_ri_riCri,rZ),m, oo 
prog(nextmemaddr(m), 
storem(fetchm(atomofmemaddr(fetchr(r1,q),q), 
atomofmemaddr(fetchr(r2,q)),q)); 
exq (mov _frilorid(€rl, r2, no Ga 
prog(nextmemaddr(m), 
storem(fetchm(atomofmemaddr(fetchr(ri,q),q), 
offset(n, atomofmemaddr(fetchr(r2,q)),q)); 
exq(mov_ri ridn(ri, 2, i132, epee 
prog(nextmemaddr(m), 
storem(fetchm(atomofmemaddr(fetchr(r1,q),q), 
etfset(i2Z, indir 
i1,atomofmemaddr(fetchr(r2,q))),q));3 


exq(mov_rid m(ri, 11, min, ca 
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prog(nextmemaddr(m), 
storem(fetchm(offset(il, 
Atomommemaddr (fetchr(ri,q))),q),m1,q)); 
era (mov fiche pertri,il,i12) 7m, ay” = 
prog(nextmemaddr(m), 
storem(fetchm(offset(il, 
atomofmemaddr(fetchr(r1,q))),q), 
offset(i2,m),q)); 
exq(meverniasr€rl, n,rZ),m,q) = 
prog(nextmemaddr(m), 
storer(fetchm(offset(n, 
atemormemaddn(fetemr (rl,q))),q),rZ,q)); 
exqcmov rid ritri,i,r2), myq i= 
prog(nextmemaddr(m), 
storem(fetchm(offset(i, 
atomofmemaddr(fetchr(r1,q))),q), 
atomofmemaddr(fetchr(r2,q)),q));3 
Sxquniawehiauria(ni,i1t, r2,i10ym,q) = 
prog(nextmemaddr(m), 
storem(fetchm(offset(il, 
atomofmemaddr(fetchr(ri,q))),q), 
offset(il, atomofmemaddr(fetchr(r2,q)),q));3 
exoemaverraduriantrl,re,it,i2,i3),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(offset(il, 
atomofmemaddr(fetchr(ri,q))),q), 
offset(i3, indir ( 
i2,atomofmemaddr(fetchr(r2,q)))),q));3 


exqcmovertan m€ri,n,iil,ml),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(offsetcil, 
indir(n, atomofmemaddr ( 
Rewenn (nt. 4) ))),q)4 m1, 4)? 
exccner of ilam. por (ri,n,il,i2),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(offset(il, 
indir(n, atomofmemaddr(fetchr(ri,q)))),q), 
efisetCiz,m),q)); 
exq Umeoverian: r¢ri,ii,i2,r2),m,q) = 
prog(nextmemaddr(m), 
storer(fetchm(offset(iz2, 
indir(il, atomofmemaddr ( 
Het chiaGriencd)) )) 49) 4 62,9) ) + 
excrqmaverian riCri,il,i2,rZ),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(offset(iZ, 
inet Cilia aeonearmemadar(fetenr(rl,q)))),q), 
atomofmemaddr(fetchr(r2,q)),q)); 
SxraCmovwenramenriad¢rt., 11,12,6r2,i3s),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(offset(iz, 
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indir(il, atomofmemaddr(fetenr (paiva) >) a. 
offset(i3, atomofmemaddr(fetchr(r2,q)),q)); 
exq(mov_ridn_ridn(ri,r2,1i1, 12,425,984 eno 
prog(nextmemaddr(m), 
storem(fetchm(offset(iz, 
indir(ii, atomofmemaddr(fetchr(r1,q)))),q), 
offset(i4, indir ¢ 
i3,atomofmemaddr(fetchr(r2,q)))),q))3 
exq(push_i(v,s),m,q) = 
prog(nextmemaddr(m), 
pushstk(v,s,q));3 
exq(push_m(mi,s),m,q) = 
prog(nextmemaddr(m), 
pushstk(fetchm(m1,q),s,q)); 
exq(push per (i,s)7m,q..- 
prog(nextmemaddr(m), 
pushstk(fetchm(offset(i,m),q),s,q)); 
exq(push_r(r,s),m,q) = 
prog(nextmemaddr(m), 
pushstk(fetehr(r, qd3s, a 
exq(push_ri(r,s),m,q) = 
prog(nextmemaddr(m), 
pushstk(Catomofmemaddr(fetchr(r,q)),5,q)); 
exq( push rid(Gr. nun, s?,m,q)=— 
prog(nextmemaddr(m), 
pushstk(fetchm(offset(n, 
atomofmemaddr(fetchr(r,q))),q),5,q)); 
exq(push ridnitr, ii,12,s5),m, qd 0a 
prog(nextmemaddr(m), 
pushstk(fetchm(offset(i2,indir(il, 
atomofmemaddr(fetchr(r,q)))),q),8,q))3 
exq(pop_x(s),m,q) = 
prog (nextmemaddr(m), 
popstk(s,;q)); 
exq(pop_m(s,mi),m,q) = 
prog(nextmemaddr(m), 
popstk(s,storem(topstk(s,q)7m2,4.)).. 
exq(pop_per(s,i),m,q) = 
prog(nextmemaddr(m), 
popstk(s,storem(topstk(s,q), 
efitsetti,m)..4... 
exq(pop_r(s,r),m,q) = 
prog(nextmemaddr(m), 
popstk(s,storer(topstk(s,q),17,q)))), mcs 
exq( pop ri(s,r))m,c..— 
prog(nextmemaddr(m), 
popstk(s,storem(topstk(s,q), 
atomofmemaddr(fetchr(r,q)),q))); 
exq(pop rid(s,r,n),m, 4a 75-— 
prog(nextmemaddr(m), 
popstk(s,storem(topstk(s,q),offset(n, 
atomofmemaddr(fetchr(r,q))),q)));3 
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exqCpop ridm(s,r, miyiZz),m,q) = 
prog(nextmemaddr(m), 
popstk(s, storem(topstk(s,q),offset(i2, 
indircil, atomofmemaddr(fetchr(r,q)))),q)));3 
exq(nop,m,q) = 
prog(nextmemaddr(m),q); 
exq(stop,m,q) = 
prog(m,q) = q; 
exq(jmp(m1l),m,q) = 
prog(ml,q); 
exq(jmp_i(mi),m,q) = 
prog(atomofmemaddr(fetchm(ml,q)),q);3 
exq(Cjmp_r(r),m,q) = 
prog(atomofmemaddr(fetchr(r,q)),q); 
exq(bra(n),m,q) = 
prog(offset(n, nextmemaddr(m)),q); 
exq(bra_r(r),m,q) = 
Prog (orifsetCatomofint(fetchrtr,q)), 
nextmemaddr(m)),q); 
excqG@i: (Oo, ri,r2,Mml),Mm, ao. = 
Breet conacapplyroaop.o, fetenr(ri,q),fetchr(rZ2,q)), 
mi,nextmemaddr(m)),q); 
Scent 1 (On r, 7,ml),m,q) = 
Peo? Ceond (ape ynopoco, fetehr(r,q),v, 
mi,nextmemaddr(m)),q); 
excoertteCo,ri, r2,mi,m2),m,q) = 
Phepgecona app lyrop ro, fetenr(rl,g),fetchr(r2,q), 
Mi, m2), 4) 3 
exqieinte1Co,r,Vv,ml,m2),m,q) = 
Prom conga applyrop(o, fetecnr(r,q),v,mi,m2),q); 


Srceltoper(o,ri,rZ2,n),;m,q) = 

Prog (cona Capplyrop (to, fetchr(ril,q),fetchr(r2,q), 

offset (n, nextmemaddr(m)),nextmemaddr(m)),q); 
Sexcqarri pento,r,V,n),m,q) = 

prog CecondCapplyrop(o, fetchr(r,q),v), 

offset (n, nextmemaddr(m)),nextmemaddr(m)),q); 
SxMcierte (oO, bl, r2,il,i2),m,q) = 

PaocceconaCapplyrop(o, fetchrt(ri,gq),fetchr(r2,q), 

offset(il,nextmemaddr(m)), 

offset(i2, nextmemaddr(m))),q); 
exqCiftei(Co,r,v,mi,m2),m,q) = 

broec comacapplyropto, fetehr(r,q),v), 

offset(il,nextmemaddr(m)), 

offset(i2,nextmemaddr(m))),q); 
exq(test(o,ri,mi),m,q) = 

broetconaCapplybopto, fetehrtrl,q)), 

mi,nextmemaddr(m)),q); 
exq(testm(o,m2,mi),m,q) = 

prog(cond(Capplybop(o, fetchm(m2,q)), 

mi,nextmemaddr(m)),q); 
exq(teste(o,ri,mi1,m2),m,q) = 
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prog(cond(applybop(o, fetchr(r1,q)), 
mi,mZ >, 4), 
exq(testme(o,m3,m1,m2),m,q) = 
prog(cond(applybop(o,fetchm(m3,q)), 
mil, mZ),-a; 
exq(test per(lo,rl,n),m,4dq >5— 
prog(cond(applybop(o, fetchr(ri1, q)); 
offset(n,nextmemaddr(m)), 
nextmemaddr(m)),q); 
exq(testm_per(o,m2,n),m,q) = 
prog(cond(app! ybop(o, fetchm(m2, q) ); 
offset(n,nextmemaddr(m)), 
nextmemaddr(m)),q)3;3 
exq(teste _per(o,ri,id, ? 2, a 
prog (cond(appl ybop(o, fetenr (ric, 
offset(il,nextmemaddr(m)), 
offset(iz2, nextmemaddr(m))),q);3 
exq(testme_per(o,m3,i1l,i2),m,q) = 
prog(cond(appl!ybop(o, fetchm(m3,q)); 
offset(il,nextmemaddr(m)), 
offset(i2, nextmemaddr(m))),q) 
exq(jsr(m1,s),m,q) = 
prog(mi, pushstk ( 
valofmemaddr (nextmemaddr(m)),s,q));3 
exq(jsr_i(m1,s),m,q) = 
prog(atomofmemaddr(fetchm(m1,q)), 
pushstk(valofmemaddr (nextmemaddr(m)),sS,q))3 
exq(jsr_i(tri,s),m,q) = 
progCatomofmemaddr(fetchr(ri,q)), 
pushstk(valofmemaddr (nextmemaddr(m)),s,q)); 
exq(bsr(n,s),m,q) = 
prog(offset(n, nextmemaddr(m)), 
pushstk(valofmemaddr(nextmemaddr(m)),s,q)); 
exq(bsr_r(r,s),m,q) = 
prog(offset(atomofint(fetchr(r,q)), 
nextmemaddr(m)), 
pushstk(valofmemaddr (nextmemaddr(m)),s,q));} 
exq(rts(s),m,q) = 
prog(atomofmemaddr(topstk(s,q)),popstk(s,q)); 
exqCopen(s),m,q) = 
prog(nextmemaddr(m),openfile¢ 
atomofstr.char(topstk(s, popstk(s, popstk(s, 
popstk(s,q))))), 
atomoffile(topstk(s, popstk(s, popstk(s,q)))), 
atomofint(topstk(s,popsstk(s,q))), 
atomofint(topstk(s,q), 
Popstk(s, aq 700. 
exq(close(s),m,q) = 
prog(nextmemaddr(m),closefile(¢ 
atomoffile(Ctopstk(s,q)), 
popstk(s,q))); 
exq(read(s),m,q) = 


a, 


prog(nextmemaddr(m),storem(infile( 
atomoffile(topstk(s, popstk(s,q))), 
popstk(s,q)), 

atomofmemaddr(topstk(s, popstk(s,q)), 

popstk(s,q))); 

exq(write(s),m,q) = 

prog(nextmemaddr(m),outfile(fetchm( 
atomofmemaddr(topstk(s, popstk(s,q))), 
popstk(s,q)); 

atomoffile(topstk(s,q)), 

popstk(s,q))); 


end am; 


APPENDIX B: COMPLETE SPECIFICATION OF A SUBSET OF 





THE ABSTRACT PROCESSOR 


Resource intructions is 


Extension of 
natural, 
integer, 
memaddress, 
regaddress, 
stkaddress, 
operatorclasses, 
intructiontype, 
typing 


Operands 


Operators 


monad: mop,regaddr,regaddr -> instr; 


dyad: dop,regaddr,regaddr,regaddr 
triad: top, regaddr,regaddr,regaddr 
mov_m_r: memaddr,regaddr -> instr; 
mov_r_m: regaddr,memaddr -> instr; 
mov_r_r: regaddr,regaddr -> instr; 
push_r: regaddr,stkaddr -> instr; 
pop_r: stkaddr,regaddr -> instr; 
jmp_r: regaddr -> instr; 

if: relop,regaddr,regaddr,memaddr 
jsr: memaddr,stkaddr -> instr; 
rts: stkaddr -> instr; 


Properties 


end intructions; 


Resource amstate is 


Extension of 
boolean, 
natural, 
integer, 
str(character), 
memaddress, 
regaddress, 
files, 
identifiers, 
typing 


=? ANnSED. 
,;regaddr -> 


=> Wenis Une 


inst im 


aeatic 
Operands 
state; 


Operators 
fetchm: memaddr,state -> val; 
fetchr: regaddr,state -> val; 
storem: val,memaddr,state -> state; 
storer: val, regaddr,state -> state; 
topstk: stkaddr,state -> val; 
pushstk: val,stkaddr,state -> state; 
popstk: stkaddr,state -> state; 
initam: -> state; 
initstk: stkaddr,state -> state; 


active: memid,state -> bool; 


Properties 

topstk(s,initstk(s)) is undefined; 

popstk(s,initstk(s)) is undefined; 

popstk(s,initam()) is undefined; 

stateaxiom(m,memaddr) ; 
stateaxiom(r,regaddr); 
topstk(s(pushstk(v,s,q)) = v; 

popstk(s(pushstk(l(v,s,q)) = q; 


active(m,initam()) = false (); 
active(m,storer(v,r,q)) = active(m,q); 
active(m, storem(v,a,q)) = active(m,q); 
active(m,initstk(s,q)) = active(m,q); 
active(m, pushstk(v,s,q) = active(m,q); 
active(m, popstk(s,q) = active(m,q); 
if active(m,q) = false() 
then 

fetchm(offset(n,m),q) is undefined; 
endif; 
if active(m,q) = false(); 
then 

storem(v,offset(n,m),q) is undefined; 
endif; 
Gieeltamntim,ntoitnz)) = true © 
then 


offset(n,offset(ni, startmemaddr ( 
lalieoe(n2,9)))) = 
offset(suminti(n,nl), 
Stanememadar< lal loet(nZ,q))); 
else 
offset(n,offset(ni, startmemaddr ( 
Nalwvoe(nZ2,q)))) 1s undefined; 


endif; 

indir(zeronat(),m) = m; 

if whattype(fetchm(indir(n,m),q) = typememaddr() 
then 


LAGS) 


indirtCsucenattn), me — 
atomofmemaddr(fetchm(indir(n,m),q)); 
else 
indir(succnat(n),m) is undefined; 
endif; 


Dynamic 
Entry Places 
req fetchm(netlabel)(€memaddr.state]; 
req storem(netlabel){val.memaddr.statel]; 


req fetchr(netlabel)lCregaddr.state]; 
req storer(netlabel){val.regaddr.statel]; 


req_topstk(netlabel)(€stkaddr.state]; 
req _pushstk(netabel)fval,stkaddr.state]; 
req popstk(netlabel){€stkaddr.state]; 
req_initstk(netlabel)(€stkaddr.state]; 


req _ initam()(] 


Exit Places 
avail fetchm(netlabel)fval]J; 
avail _storem(netlabel){€state]; 


avail fetchr(netlabel){fval]; 
avail _storer(netlabel)l€state]; 


avail _topstk(netlabel){Cval]; 

avail _pushstk(netlabel)C€state]; 
avail _popstk(netlabel){€state]; 
avall_initstk(netlabel)(€statel]; 


avail_initam(€state]; 


Internal Places 
access _avail(l]; 
fetchm_for(netlabel)(]; 
fetchm_activated{memaddr.state]; 
fetchm_completed([val]; 
storem_for(netlabel)(]; 
storem_activated({val.memaddr.state]; 
storem_completed(state]; 


access _availl]; 
fetchr_for(netlabel)(1]; 
fetchr_activated(regaddr.state]; 
fetchr_completed(val]; 

storer _for(netlabel)(]J; 
storer_activated(val.regaddr.state]; 
storer_completed(state]; 
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accessk_availl]; 
topstk_for(netlabel)C]; 
topstk_activated(€stkaddr.state]; 
topstk_completed(val]; 
pushstk_for(netlabel)C(]; 
pushstk_activated(val.stkaddr.state]; 
pushstk_completed[state]; 
popstk_for(netlabel)(j; 
popstk_activated(stkaddr.state]; 
popstk_completed([state]; 
initstk_for(netlabel)(C]J; 
initstk_activated(stkaddr.state]; 
initstk_completed(state]; 


Initial State 
=> accessm_availl]; 


=> accessr_avail(l]; 
=> accessk_availl]; 


Transitions 
act_fetchm: [memaddr.state],{] -> (C€memaddr.state],(]; 
perform_fetchm: [Cmemaddr.state] -> [val]; 
HMiniesheretchms fLvaki),C) -> Cvalj),C); 
act _storem: [Cval.memaddr.state],([€] -> 

Cval.memaddr.state],(]; 

perform_storem: [fval.memaddr.state] -> [state]; 
finish_storem: [Cstate],{f€] -> (€statel],(C]; 


act _fetchr: (Cregaddr.state],{€] -> 
Cregaddr.state],(]; 

perform_fetchr: Cregaddr.state] -> [val]; 

monanmretenmr: ELval],£] -> Evall],C1; 

act _storer: [Cval.regaddr.state],(€] -> 
Cval.regaddr.statel],([]; 

perform_storer: [Cval.regaddr.state] -> [statel; 

finish_storer: [Cstate],(€] -> [(Cstate],(]; 


act _topstk: (Cstkaddr.state],{(€] -> 
Cstkaddr.state],(€]; 

perform_topstk: [Estkaddr.state] -> [val]; 

Pinus cops tismuvyal i”, ©) —-> Cval),(]; 

act _pushstk: [val.stkaddr.stateJ],{[€] -> 
Cval.stkaddr.stateJ,(]; 

perform_pushstk: [Cval.stkaddr.state] -> [state]; 

finish_pushstk: [Cstate],(€] -> [state],(]; 

act _popstk: [Cstkaddr.state],[] -> 
Cstkaddr.state],(1]; 

perform_popstk: [Cstkaddr.state] -> [state]; 

finish_popstk: [(Cstate],(€] -> [Estatel],(]; 
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act _initstk: Ustkaddr.statel, } ie 
Cstkaddr.statel],(]; 

perform_initstk: [(Cstkaddr.state] -> (Cstatel]; 

finish_initstk: (statel],f] -> (stacciee 


perform_initam: [E] -> (stated 


Properties 

act fetchm(req fetchm(1)€m.q], accessm_availf€]) => 
fetchm_for(1)C],fetchm_activated(m.q]; 

perform_fetchm(fetchm_activated(m.q]) => 
fetchm_completedl[v]; 

finish_fetchm(fetch_completed(v], fetchm_for(1)(]) 

=> avail _fetchm(l) Cv], accessm_avail([]; 

act _storem(req _storem(l){€v.m.q], accessm_availf]) => 
storem_for(l1)CJ, storem_activated(v.m.q]; 

perform_storem(storem_activated(v.m.q]) => 
storem_completedl[q]; 

finish_storem(storem_completed(lql, 
storem_for(1)(€]) => 
avail _storem(1]1)C€q], accessm_availl]; 


act_fetchr(req fetchr(1]1)€.q], accessr_avail(f€j]) => 
fetechr_for(l)C1,fetchr_activatedi valk 
perform_fetchr(fetchr_activated(€.q]) => 
fetchr_completedl[v]; 
finish_fetchr(fetch_completed(v], fetchr_for(1)(]) 
=> avail_fetchr(l)€vl], accessr_availl]; 
act_storer(req storer(l)C€Cv..q], accessr_availl]) 
=> storer_for(1)C€], storer_activated[v..q]; 
perform_storer(storer_activated(v..q]) => 
storer_completed([q]; 
finish_storer(storer_completed([ql, 
storer for(1)(€1]) => avail_storer(l)Cql, 
accessr_availl]; 


act_topstk(req _topstk(l){€s.q], accessk_avail(l€J]) => 
topstk_for(1l)C€1], topstk_activated(s.q]; 

perform_topstk(topstk_activated(€s.q]) => 
topstk_completed(v]; 

finish_topstk(topstk oon Pe eae topstk_forcl)0 i =2 
avail _topstk(l)Cv1; 

act pushstk (req. pushasniGipia meen accessk_availl]) 
=> pushstk_for(l)JC1], pushstk_activated(v.s.q]; 

perform_pushstk(pushstk_activated(€s.q]) => 
pushstk_completed[qi]; 

finish_pushstk(pushstk_completed(qij], pushstk_for(1)0C] 
=> avail _pushstk(l)Cqil; 

act_popstk(req_popstk(1)€s.q], accessk_avail(€J]) => 
popstk_for(l)(], popstk_act#vatedlsaae 

perform_popstk(popstk_activated[(s.q]) => 
popstk_completed([qil; 
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finish_popstk(popstk_completed[(qij,popstk_for(!)C€1] => 
avail popstk(l)Cqil; 
act_initstk(req_initstk(1]l)Cs.qJ, accessk_availlJ) => 
Miitvetwmouer<«!J0)], initstk _activated(s.q]; 
perform_initstk(initstk_activated[(s.q]) => 
initstk completed(qi]; 
finish_initstk(Cinitstk_completed(€ql]J,initstk_for(1)C] 
=> avail _initstk(1l)Cq1jJ; 


perform_initam(req_initam[€]) => avail_initaml[state]; 


end amstate; 


Resource am is 


Extension of 
memaddress, 
intructiontype, 
typing, 
amstate 


Operands 
prog: memaddr,state -> state; 


cond: val,memaddr,memaddr - memaddr; 
exq: instr,memaddr,state -> state; 


Operators 
prog(m,q) = exq(atomofinstr(fetchm(m,q)),m,q); 
cond(valofbool (true(),m,m2)) = m; 
cond(valofboll(false(),m,m2)) = m2; 


Properties 
exq(monad(o,r,r2),m,q) = 
Pprog(nextmemaddr(m), 
Borer Capp rymopca,1etchr (r, aq) >), 
R24 
exq(dyad(o,r,r2,r3),m,q) = 
prog(nextmemaddr(m), 
storer(applydop(oa, 
HObeh@Cn, Gopenoechrtr2a,dq)),r3,q)); 
exqiGeniag«o,r,r2,r3,r4),m,q) = 
prog(nextmemaddr(m), 
storer(applytop(o,fetchr(r,q), 
bocce @ecnco, fretehri(r3s,q)),r4,q)); 
exq(moyvy m_r(€m,r),m,q) = 
prog(nextmemaddr(m), 
storem(fetchm(m,q),r,q)); 
e.aqumover m(r,m),m,q) = 
prog(nextmemaddr(m), 
arorem(tetcenr(r,q),m,q)); 


Lee 


exq(mevwmr rT (rr, £2), mM, oo 
prog(nextmemaddr(m), 
storem(fetchr(r, a)yrZzyepre 
exq(Cpushlr(r,s)5m, 475 
prog(nextmemaddr(m), 
pushstk(fetchr (nr; qv syape: 
exq (pop FCs, fm, c) -= 
prog(nextmemaddr(m), 
popstk(s,storer(topstk(s, 4), eyrq) 0) ame 
exq(jmp_r(€r),m,q) = 
prog(Catomofmemaddr(fetchr(r,q)),q);3 
exq(if Ca, r,r2,m1) sn ao ee 
prog(cond(lapplyrop(lo, fetchr(r,q), fetchr(rZ, apee 
mi,nextmemaddr(m)),q)3;3 
exq(jsr(m,s),m,q) = 
prog(m, pushstk( 
valofmemaddr (nextmemaddr(m)),8S,q))3 
exq(rts(s),m,q) = 
prog(Catomofmemaddr(topstk(s,q)),popstk(s,q)); 


Dynamic 
Entry Places 
req _ proglmemaddr.state]; 


req exq(netlabel)Cinstr.memaddr.state]; 
req cond(netlabel)Cval.memaddr.memaddr]; 


Exit Places 
avail_exq(netlabel) Cmemaddr.state]; 


avail cond(netlabel) C€memaddr]; 


Internal Places 
Proguaval lt); 
prog fetch(memaddr.state]; 
prog _instr(€memaddr.statel]; 
prog _performl] 


exq availl]d; 
exq for(netlabel)(]; 


exq_ monad_activated(state]; 
exq_monad_fetchlstatel]; 
exq_monad_applylstate]; 
exq_monad_storel[]; 


exq dyad_activated(statel]; 
exq dyad _fetchl[statel; 

exq dyad_applylstatel; 

exq dyad_storel[]; 


exq triad _ activated[(state]; 
exq triad fetch[statel]; 
exq_triad_apply[state]; 

exq _triad_storel]; 


exq mov_r_r_activated(state]; 
exq mov_r_r_perform(state]; 
exq mov_r_r_storel]; 


exq_mov_r_m_activated([state]; 
exq mov_r_m_performl[state]; 
exq mov_r_m_storel]; 


exq mov_m_r_activated(state]; 
exq mov_m_r_performl[state]; 
exq mov_m_r_storel]; 


exq push_r_activated([(state]; 
exq push_r_performl(statel]; 
exq push_r_pushl]; 


exq pop _r_activated([(state]; 
exq pop _r_performl[state]; 
exq pop _r_storel[]; 


Sxqupoper popl j; 


exq _jmp_r_activated(state]; 
exq _jmp_r_perform([state]; 
exq jmp_r_converting([statel]; 


exq if_activated(state]; 
exq if _ fetch[(statel]; 
exq_if_cond[statel]; 


cond_activated(memaddr.memaddr]; 


Initial State 
=> prog availl]; 


=> exq_availl]; 
=> cond_availl]; 


Transitions 

activate_prog: [1], €memaddr.state] -> 
C{memaddr.state], [(memaddr.state]; 

get_instr_prog: [memaddr.statel],[val] -> 
Cmemaddr.state],([(val]; 

perform_prog: [(memaddr.state],Cinstr] -> 
C],Cinstr.memaddr.statel]; 

finish_prog: [1], €memaddr.state] -> 
Cl],(memaddr.statel]; 
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activate_exq _monad: [Cinstr.memaddr.stateJ],(€] -> 
Cstatel],Cinstr], Cinstrj], Cinstr], (memaddr]; 

start_exq_monad: [Cstate],Cregaddr], -> 
Cstate],(regaddr.state]; 

apply_exq _monad: [CstateJ],loperator],(€val] -> 
Cstate],loperator.val]; 

store_exq_monad: [state],(€val],loperator] -> 
C],{val.regaddr.state]; 

finish_exq _monad: [(],€state],(memaddr] -> 
C(memaddr.statel]; 


activate _exq_dyad: Cinstr.memaddr.state],(] -> 
Cstate], linstr], Clinstr], Clinstr], Linstr], (memadare 

start_exq dyad: [state], (regaddrJ,Cregaddr] -> 
Cstate],(regaddr.state], (regaddr.state]; 

apply_exq_dyad: [(Cstatel],lCoperator],(€valj,C€valj -> 
Cstate], Coperator.val,val]; 

store_exq_dyad: [Cstate],(€valj],(regaddr] -> 
C],Cval.regaddr.state]; 

finish_exq dyad: (],€state],€memaddr] -> 
Cmemaddr.state]; 


activate_exq triad: Cinstr.memaddr.state],(€] -> 
Cstate],Cinstrjd,Cinstrj)],CinstrjJ,Cinstr], 
Cinstr]), (memaddr J]; 

start_exq triad: [state], (regaddrj],(regaddrJ,lregaddr] -> 
Cstate], (regaddr.state], C(regaddrj], (regaddr]; 

apply_exq_triad: Cstate], Coperator],(valj,l€valj,l€valj -> 
Cstate], loperator.val.val.val]; 

store_exq_triad: (Cstate],(€valj,Cregaddr] -> 
C],Cval.regaddr.state]; 

finish_exq_ triad: (],€stateJ],(memaddr] -> 
C(memaddr.state]; 


activate_exq_mov_r_r: Cinstr.memaddr.stateJ],[(€] -> 
Cstate],Cinstr], ClinstrJ], (memaddr]; 

start_exq _ mov_r_r: [CEstart],Cregaddr] -> 
Cstate], (regaddr.state]; 

store _ exq mov_r_r: [state], (regaddrj],(€val] -> 
C],C(val.regaddr.statel; 

finish_exq_mov_r_r: (€],(€state],(memaddr] -> 
Cmemaddr.state]; 


activate_exq mov_r_m: Cinstr.memaddr.state],(€] -> 
Cstate], Cinstr], Cinstr], (memaddr]; 

start_exq_mov_r_m: Cstart],Cregaddr] -> 
Cstatel], (regaddr.state]; 

store_exq_mov_r_m: Cstatel],(memaddrjJ,l€valJ] -> 
C],(val.memaddr.state]; 

finish_exq _mov_r_m: (],C€state],(memaddr] -> 
C(memaddr.state]; 
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activate _exq mov_m_r: [Cinstr.memaddr.state],(€] -> 
Cstate], Cinstr], Cinstr], {memaddr]; 

start_exq _mov_m_r: [start], {memaddr] -> 
C(state],{regaddr.state]; 

store _exq mov_m_r: ([state],Cregaddr],{fval] -> 
C],(€val.regaddr.state]; 

finish_exq_mov_m_r: (1],(€(state],(memaddr] -> 
{memaddr.statel]; 


activate_exq_push_r: [Cinstr.memaddr.state],(€] -> 
Cstate], (instr], Cinestr], (memaddr]; 

fetch_exq_push_r: [state], Cregaddr] -> 
[state], (regaddr.state]; 

push_exq_push_r: [statel],(€valJ],(€stkaddr] -> 
{],{€stkaddr.statel; 

finish_exq_push_r: [(],(€state],(memaddr] -> 
Cmemaddr.state]; 


activate_exq pop r: [finstr.memaddr.state],(€] -> 
Cstate], Cinstr], Cinstr], (memaddr]; 

pop_exq_ pop r: [state], (stkaddr] -> 
Cstate],{(stkaddr.state]; 

store_exq_ pop r: [state],(valJ],Cregaddr] -> 
C{stkaddr]J], (stkaddr.state]; 

top_exq_pop _r: [stkaddrj],{€state] -> 
C],(stkaddr.statel]; 

finish_exq_ pop r: [],€state],(€memaddr] -> 
{memaddr.state]; 


activate_exq jmp r(Cinstr.memaddr.state],(€]) -> 
Cstate)],Cinstr]; 

fetch_exq jmp_r(C€state],Cregaddr] -> 
Cstate],(regaddr.state]; 

convert_exq jmp _r(C€state],(€val]) -> 
Cstate)],(€vall]; 

finish((€(state],{memaddr]) -> 
{memaddr.state]; 


activate_cond((],{val.memaddr.memaddr]) -> 
Cmemaddr.memaddrj],(valj; 

finish_cond({memaddr.memaddrj],(€bool]) -> 
C(memaddr]; 


activate_exq if((€j],Cinstr.memaddr.statel]) -> 
C],Cstate],Cinstr], fCinstr], Cinstr], [(memaddr]; 

start_exq if ((€state], {regaddr],(regaddr]) -> 
Cregaddr.state],(regaddr.statel]; 

apply_exq_ if((€state],(valj],(€valj],Coperator]) -> 
Cstate], Coperator.val.val]d; 

cond_exq_ if(€state], (memaddrj],(€valj],{€memaddr]) -> 
Cstate],(val.memaddr.memaddr]; 
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finish_exq_ if (€statel],  (memaddr] -> 
Cmemaddr.state]; 


Properties 
activate_prog(prog_availl€l], req _proglm.q]) => 

prog _fetch[(€m.q], req fetchm(1]1)(m.q]; 
get_instr_prog(prog activated(m.q]J, avail fetchm(]11)C€v]) 

=> prog_instr(€m.q], req _atomofinstr(l2) Cv]; 
perform_prog(prog_instr(m.q]l, 

avail_atomofinstr(1]12)Cfij]) => 

prog _performl(], req _exq(!]13)li.m.q]; 
finish_prog(prog performl(], avail_exq(€(mi.qil]) => 

prog availlJ), requproctini=a a. 


activate _exq monad(exq availll, 
req _exq(]l)Cmonad(o.ri.r2).m.ql]) => 
exq for(l)C], exq_monad_activatedl[ql, 
req operator(]1)€monad(o.ri.r2)], 
req operandi(l2)Cmonad(o.ri1.r2)], 
req operand2(13)Cmonad(o.ri.r2)], 
req nextmemaddr(14)C€m]; 
start_exq_monad(exq_monad_activated[q], 
avail _operandi(li)€rijl) -> exq_monad_fetchlql, 
req fetchr CVS0f ric; 
apply_exq_monad(exq monad_fetchlq], avail_fetchr(15)Cvl, 
avail_operator(]1)Co0]) => exq_monad_applylq]l, 
req _apply_mop(16)lo.v]; 
store_exq monad(exq_monad_applylql, 
avail _ apply_mop(16)C€vil, avail_operand2(13)€r21]) => 
exq_monad_storel], req _storer(]/7)C€vi.r2.q]; 
finish_exq_monad(exq_ monad_storel(], avail_storer(l/)Cqil, 
avail nextmemaddr(14)€m1J]) => avail_exq(])C€m1.qil; 


activate_exq dyad(exq_availl], 
req exq(l)[dyad(o.ri.r2,r3) 2m. gies 
exq for(l)C], exq _dyad_activated(q], 
req _ operator(!|1)(dyad(o. risr2,r.soa, 
req operandi (|lZ)[(dyad@(o.rl.r2, tee 
req operand2(13) (dyad Co. rl.r27 2a. 
req operand3(18)(dyad(o.ri.r2Z,r3)], 
req _ nextmemaddr(14) Cm]; 
start_exq dyad(exq dyad_activated[q], 
avail _operandi(]1)Crij),avail_operand2(12)Cr2] 
-> exq dyad fetchiq], req fetchr @o) Gaal 
req fetenClS) [r2.q 12 
apply_exq dyad(exq_dyad_fetchlq], avail_fetchr(15)Cvil, 
avail _operator(]1)fo0]),avail_fetchr( 19) v2] 
=> exq dyad_applyl[q],req_apply_dop(!6)lCo.v1.v2]; 
store_exq dyad(exq dyad_applylql, 
avail_apply_dop(16)C€v3], avail_operand3(18)€r3]) => 
exq _ dyad_store[], req_storer(l/7)C€v3.r3.q]; 
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finish_exq_dyad(exq_dyad_storel], avail_storer(17)(Cqil, 
avail _nextmemaddr(14)C€m11]) => avail_exq(l)Cmi.qi1]; 


activate_exq triad(exq_ availl], 
req exq(Il)C€triad(o.ri.r2,r3,r4).m.q]) => 
exq for(l1)CJ], exq_triad_activated(q], 
req operator(!1)Ctriad(o.ri.r2,r3)], 
reqmaperanvahGlz  ttriagvo.rl.r2,r3) 1, 
req _ operand2(!13)Ctriad(o.ri.r2,r3)], 
req operand3(!18)Ctriad(o.ri.r2,r3)], 
req operand4(110)Ctriad(o.ri.r2,r3,r4)], 
req _nextmemaddr(!14)C€m1; , 
start_exq triad(exq triad_activated(ql], 
avail _operandi(!l1)Crijl),avail_operand2(12)(Cr2] 
avail _operand3(13)€r3],-> exq_triad_fetchlql]l, 
reqeretenr (1500 ri.aqumereq fetch( 19S) CrZ2.ql, 
Fequnetchrcll i) irs. qi; 
apply_exq triad(exq triad _fetchl(q], avail_fetchr(|15)Cvil, 
avail _operator(!1)CoJ),avail_fetchr(I9)Cv2], 
avail _fetchr(lii)Cv3] => exq_triad_applylq], 
reqmuapply topcliG)lLo.vi.vZ2.v3l; 
store_exq triad(exq _triad_applylql, 
avail_apply_top(!I6)C€v4], avail_operand4(18)C€r4]) => 
exq_triad_storel], req _storer(!/7)(€v4.r4.q]; 
finish_exq_triad(exq_triad_storel[], avail_storer(1!17)Cql1l, 
avail _nextmemaddr(!14)C€mij]) => avail_exq(l) C€mi.qgiJ; 


activate_exq_mov_r_ r(exq_availll, 
medqmeexawl) imov rortrt,r2).m.q)) => 
exq_ mov_r_r_activated(q], 
req _operandi(!l11)Cmov_r_r(ri,r2)], 
req _operand2(!2)C€mov_r_r(ri,r2)], 
req nextmemaddr(!13) Cm]; 
start_exq_mov_r_r(exq_mov_r_r_activated([q], 
avail_operandic¢cli)Crij) => 
excmmovenr Ceperforpmiq)], req fetehr( 14) €ri.qi]; 
store_exq_mov_r_r(exq_mov_r_r_performlq], 
avail _fetchr(14)C€vj, avail_operand2(!12)C€r2]) => 
exquneover rr storell], req storer(v.rZ2.q]; 
finish_exq_mov_r_r(exq _ mov_r_r_storel], avail _storer(qil, 
avail_nextmemaddr(!13)€m1iJ]) => 
avail_exq(!l)Cmit.q11]; 


activate_exq_mov_r_m(exq_ availl]l, 
req exq(l)Cmov_r_m(r1i,m2).m.q]) => 
exq_mov_r_m_activated(q], 
req operandi(|]l1i)Cmov_r_m(ri,m2)], 
req operand2(!12)C€(mov_r_m(ri,m2)], 
req nextmemaddr(13) Cm]; 
start_exq_mov_r_m(exq_mov_r_m_activatedl[q], 
avail_operandicli)Crijd) => 
exq mov rom perform(q], req fetchr(14)(€(ri.q]; 
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store_exq_ mov_r_mCexq_mov_r_m performlq], 
avail_fetchr(l4)C€vJ, avail _operand2(12)€m2]) => 
exq_mov_r_m_store[], req _storem(v.m2.q]; 
finish_exq_mov_r_m(exq_mov_r_m_storel[], avail_storem[qil, 
avail nextmemaddr(13)€m1iJ]) => 
avail _exq(1){€m1.qil; 


activate_exq_mov_m_rtexq_availl], 
req_exq(!l)Cmov_m_r(m2,r2).m.q]) => 
exq_ mov_m_r_activated(q], 
req _ operandi(]li)Cmov_m_or(m2,r2)], 
req operand2(!12)C€mov_m_r(m2,r2)], 
req_nextmemaddr(13)(C€m]; 
start_exq_ mov_m_r(Cexq_mov_m_r_activated(ql]l, 
avail operandi(l1)€m2]) => 
exq_ mov_m_r_perform(q]J, req _fetchm(14)(€m2.q]; 
store_exq mov_m_r(texq_mov_m_r_performlgq], 
avail _ fetchm(14)CvJ, avail_operand2(12)C€r2]) => 
exq mov_m_r_storel], req storerivercZ. oi, 
finish_exq_mov_m_r(exq _mov_m_r_store[], avail storer[qlil, 
avail nextmemaddr(13)€mi1J) => 
avail_exq(l)€mi.qil; 


activate_exq_ push_r(exq availll], 
req_exq(l)Cpush_r(s,r).m.qj]) => 
exq push _r_activatedt(gq], 
req _ operandicli)Cpush_r(s,r)J, 
req operand2(!2) [pushemGs.. ae 
req _ nextmemaddr(13)(m]; 
fetch_exq_ push_r(exq push_r_activated(ql], 
avail operand2(!2)(rjJ]) => 
exq push_r perform(q1], req_fetehr G4 ir... 
push_exq_push_r(exq push_r_perform(ql, 
avail _fetchr(14)€vJ], avail _operandi(li)C€sj]) => 
exq_ push_r_storel], req _pushlv.s.q]; 
finish_exq_push_r¢(exq _push_r_store[], avail _pushlqil, 
avail _nextmemaddr(13)€m1]) => 
avail_exq(l)€mi.qil; 


activate_exq pop rtexq_ availl], 

req exq(])fpep r(s, rem gq) e— 

exq pop r_activatedlq], 

req operand! <(] 1) fsorer (sige 

req _ operand2(12)Cpop_r(s,r)J, 

req _nextmemaddr(13) (mJ; 
pop _exq pop r(exq pop _r_activated(q], 

avail _operandi(l1)€sJ]) => 

exq pop _ r_perform[(q], req _top(14)Cs.q]J; 
store_exq pop _ r(exq_pop r_performlq]l, 

avail _top(14){€vl], avail_operand2(1]2)C€rJ) => 

exq pop r_storel(s], req_storerl[v.r.q]J; 
top_exq pop _rtexq pop _r_store[s]J,avail_storer[fqi] => 
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exq pop _r_pop{],req_pop(s.qi]J; 
finish_exq pop _ r(exq_pop_r_pop(], avail_poplq2], 
avail _nextmemaddr(13)C€mijJ) => 
avail_exq(l)C€m1.q2]; 


activate_exq_jmp_r(exgq_avail(f], 

req exq(l)Cjmp(r).m.qjJ) => 

exq jmp_r_activatedl[q], 

req operand1i(]1)Cjmp(r)J; 
fetch_exq_jmp_r(exq_jmp_r_activated(q], 

avail _operandi(l1)C€rJ] => 

exq jmp _r_performlq],req_fetchr(!l2)C€r.q]; 
convert_exq jmp_r(exq_jmp_r_performltq], 

avail _fetchr(l2)CvJ]) => 

exq_jmp_r_convertinglq],req_atomofmemaddr(13)Cv]; 
finish_exq jmp_r(exq_jmp_r_convertinglq], 

avail _atomofmemaddr(!13)€mi] => 

avail_exq(l){€m1i.q]; 


activate_cond(cond_availf],req_cond(1l1)C€v.mi.m2]) => 
cond_activated({mi.m2], req_atomofbool(li)lv]J; 

finish_cond(cond_activated(mi.m2], 
avail_atomofboo!l(li)€true()] => 
avail_cond(!)C€m1ij; 

finish_cond(cond_activated(mi.m2], 
avail_atomofbool(l1)Cfalse()J => 
avarlecond<( |) (m2); 


activate_exq_if(exq availl], 
ReGmemcl HL Tr (oO. ri.rZ.mi).m.qi) => 
exq for(l1) CJ, exq_if_activated(q], 
mecmeperatorCll)£CifCo.ri.r2Z2.mi)d, 
RpequeapetranadlClZ)Cifto.rl.rZ2.mi)dil, 
neqmuopverandz(!13S)Lifto.ri.rzZ.mi)d, 
req _ nextmemaddr(14) Cm] 

start_exq iftexq_if_activated([ql, 

avail _operandi(li)Crij,avail _operand2(!l2)C€r2]) 

-> exq_if_fetchlq],req fetchr(!15)Cri.q] 
reqmnetehr<!/)fri.ql; 

apply_exq_iftexq_if_fetch(€q], avail_fetchr(IS)C€vil, 
avail _fetchr(!l7)Cv2)], avail_operator(]l1i)£fo]) => 
exqmilfeapplyiql], req _apply_rop(I6)fo.vi.v2]; 

cond_exq_iftexq_if_applylq],avail_nextmemaddr(14)€m2] 
avail _operand3(13)€m3],avail_apply_rop(I6)0€v3], => 
exam leconalald, req cond(!l7)Cv3.m3.m2]; 

finish_exq_if(Cexq_ if _cond[q], avail_cond(!7)€m3]) => 
avail_exq(1){€m3.q]; 


end am; 
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